[Standards-JIG] The Great Encryption Debate

Ian Paterson ian.paterson at clientside.co.uk
Fri Aug 19 12:43:00 UTC 2005


After a bit more thought, I'm not sure that signing X.509 certs with WoT
(e.g. PGP) keys really solves very much. :(

Compare two scenarios where an object is being signed and verified:
a) Alice publishes WoT key only
b) Alice publishes WoT key and X.509 signed by WoT key

Either way Bob has to do the work of verifying the WoT key and verifying
something signed with the WoT key. In case b), Bob also has to verify
something signed with the X.509, Alice has the extra work of creating an
X.509, and all parts of the system have the extra work of distributing
two keys.

If for some reason Bob really wants an X.509 with Alice's public (RSA)
key, then he can create it and sign the cert himself (instead of Alice
creating it). In that case, the system is still saved the work of
distributing two keys.

This seemed an attractive idea, but it just creates more complexity and
inefficiency. No code is saved. Unless I've missed something of course?

- Ian




More information about the Standards mailing list