North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: PGP kerserver infrastructure

  • From: L. Sassaman
  • Date: Fri Jun 30 15:42:31 2000

Hash: SHA1

On Thu, 29 Jun 2000, Roeland M.J. Meyer wrote:

> Going down one level of abstraction, has anyone on this list
> checked out
> Most modern mailers support X.509 certs for encryption. PGP is
> considerd, by many, to be the older technology. Building PKI
> around X.509 is much easier and meets actual existing standards.

Snort. Actually, that's an untrue statement on multiple points. 

X.509 is a much older and cruftier standard. PGP is recognised by most to
be the superior method for handling email and file encryption and signing.
X.509 is designed to satisfy situations where there is a complex heirarchy
in an X.500 setting.

I have yet to find anything "easy" about X.509. OpenPGP (which is the term
for the draft standard on which PGP, GnuPG, and other products like
SafeMail are based -- see RFC 2440) is much simpler for the end user to

Note, also, that it is extremely easy to bind an X.509 cetificate to an
OpenPGP key, for instances where X.509 is necessary. You can also have
multiple X.509 certificates bound to one OpenPGP key, all sharing the same
key material. Much more convenient.

If you want X.509, OpenSSL is excellent, though. I am the Project Lead for
FreeCert ( and we are using the OpenSSL toolkit with our

OpenCA is cute, but I wouldn't design a CA based on perl code.


L. Sassaman

System Administrator                |  
Technology Consultant               |  "Common sense is wrong." 
icq.. 10735603                      |  
pgp.. finger:// |    --Practical C Programming

Comment: OpenPGP Encrypted Email Preferred.