PKI: The Myth, the Magic and the Reality - Page 3

 By Charles Breed | Posted Sep 7, 1999
Page 3 of 6   |  Back to Page 1
Print Article

Part 3: X.509 vs. PGP Certs

Digital certificates are used by a variety of applications to provide user or device identity for authentication. Certs might also contain security policy or rules for authorization. A digital certificate is a collection of multiple attributes (information) which have been cryptographically bound by the digital signature of a CA that is recognized and "trusted" by a community of certificate users. Each certificate is unique and has three primary parts:

1. The subject’s public key value or principal element (a subject can be a person or a device).

2. One or more subject attributes (name, account number, validity period).

3. The CA’s signature, which binds the attributes to the subject’s public key.

Since there is no need to keep the subject’s public key confidential, certificates can be distributed unprotected (however, there may be privacy concerns about data mining of the cert’s attributes).

The two most common certificate types are PGP and X.509. Most secure business applications use an X.509 certificate-based scheme. PGP and X.509 are dramatically different in almost every aspect.

The X.509 certificate format, as defined in the ISO/IEC/ITU, has evolved since 1988 to its current version 3 (1996), with many other standards dependent upon its specification. PGP, on the other hand, was originally defined by a grassroots effort, and then by PGP and Network Associates. It’s now in the IETF arena, with change control owned by the IETF Open-PGP working group.

X.509 has a rigid structure, ASN.1 encoding and a single issuer (CA). PGP is a flexible "wallet" of signatures over specific attributes using RADIX-64 encoding. X.509 was tied to the X.500 directory service, but is now used with LDAP as the standard protocol for accessing the cert in a directory (the same as PGP’s use of LDAP).

Digital certificates are just one small component of the bigger PKI picture, but they’re the fundamental building block that can limit or extend the overall capabilities of a secure infrastructure.

Charles Breed is vice president of Kroll-O’Gara’s Information Security Group, a vendor-neutral security services and risk mitigation firm. Active in the IETF and a frequent lecturer on topics such as PGP, S/MIME, VPNs and PKIs, Charles is also the author/creator of the industry’s de facto "Cryptographic & Security Threats" reference chart, a poster-sized guide distributed to more than 100,000 individuals and organizations worldwide.


Source: "Cryptographic & Security Threats," © Charles Breed.


Get the Latest Scoop with Networking Update Newsletter