|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: PGP kerserver infrastructure
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 29 Jun 2000, Roeland M.J. Meyer wrote: > > > Going down one level of abstraction, has anyone on this list > checked out > http://www.openca.org > http://www.openssl.org > > Most modern mailers support X.509 certs for encryption. PGP is > considerd, by many, to be the older technology. Building PKI > around X.509 is much easier and meets actual existing standards. Snort. Actually, that's an untrue statement on multiple points. X.509 is a much older and cruftier standard. PGP is recognised by most to be the superior method for handling email and file encryption and signing. X.509 is designed to satisfy situations where there is a complex heirarchy in an X.500 setting. I have yet to find anything "easy" about X.509. OpenPGP (which is the term for the draft standard on which PGP, GnuPG, and other products like SafeMail are based -- see RFC 2440) is much simpler for the end user to adopt. Note, also, that it is extremely easy to bind an X.509 cetificate to an OpenPGP key, for instances where X.509 is necessary. You can also have multiple X.509 certificates bound to one OpenPGP key, all sharing the same key material. Much more convenient. If you want X.509, OpenSSL is excellent, though. I am the Project Lead for FreeCert (freecert.org) and we are using the OpenSSL toolkit with our development. OpenCA is cute, but I wouldn't design a CA based on perl code. __ L. Sassaman System Administrator | Technology Consultant | "Common sense is wrong." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Practical C Programming -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5XPdKPYrxsgmsCmoRAlkwAKD3rioArNPNz2d8bSLGKyoEizpLTwCgzgzm utInj001vBRLdksR6U81bZE= =Ddf+ -----END PGP SIGNATURE-----
|