openPGP vs x509

Atom 'Smasher' atom-gpg at
Wed Apr 7 08:42:40 CEST 2004

Hash: SHA1

> Check

it's still based on the x509 PKI (trust us: single point of failure),
which i don't like as much as the openPGP PKI (web of trust: tunable to
the paranoia and needs of the end user).

it doesn't seem hard (in theory) to implement a (user-friendly!) openPGP
type of PKI into web browsers... one could import PGP keys into their
browser (or just leave the default verisign/thawte/etc keys), assign
levels of trust to those keys, and assuming that the user-defined (or
default) trust settings are met, everything proceeds as normal... except
of course that one's PGP key could be used to sign a web site's
certificate and "trust" doesn't have to be issued from a central point.

really, it could be done in a way that's invisible to the 99% of end users
who don't know or care about crypto/keys/certs (like it is now), but could
open a lot of possibilities for people who want to hack around and
experiment, and not rely on a single point of failure.

of course, there'd still be a need for CAs: some web sites will still
prefer to buy their "trust" from a "trusted" source, rather than enter
into a "web" of trust (corporate mentality)... and those are the companies
that don't mind paying the verisign tax.


 PGP key -
 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3

	"There can be no greater good than the quest for peace,
	 and no finer purpose than the preservation of freedom."
		-- U.S. President Ronald Reagan
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish?  -


More information about the Gnupg-users mailing list