PKI: The Myth, the Magic and the Reality - Page 3
Part 3: X.509 vs. PGP Certs
Digital certificates are used by a variety of applications to provide user or device identity for authentication. Certs might also contain security policy or rules for authorization. A digital certificate is a collection of multiple attributes (information) which have been cryptographically bound by the digital signature of a CA that is recognized and "trusted" by a community of certificate users. Each certificate is unique and has three primary parts:
1. The subjects public key value or principal element (a subject can be a person or a device).
2. One or more subject attributes (name, account number, validity period).
3. The CAs signature, which binds the attributes to the subjects public key.
Since there is no need to keep the subjects public key confidential, certificates can be distributed unprotected (however, there may be privacy concerns about data mining of the certs attributes).
The two most common certificate types are PGP and X.509. Most secure business applications use an X.509 certificate-based scheme. PGP and X.509 are dramatically different in almost every aspect.
The X.509 certificate format, as defined in the ISO/IEC/ITU, has evolved since 1988 to its current version 3 (1996), with many other standards dependent upon its specification. PGP, on the other hand, was originally defined by a grassroots effort, and then by PGP and Network Associates. Its now in the IETF arena, with change control owned by the IETF Open-PGP working group.
X.509 has a rigid structure, ASN.1 encoding and a single issuer (CA). PGP is a flexible "wallet" of signatures over specific attributes using RADIX-64 encoding. X.509 was tied to the X.500 directory service, but is now used with LDAP as the standard protocol for accessing the cert in a directory (the same as PGPs use of LDAP).
Digital certificates are just one small component of the bigger PKI picture, but theyre the fundamental building block that can limit or extend the overall capabilities of a secure infrastructure.
Charles Breed is vice president of Kroll-OGaras Information Security Group, a vendor-neutral security services and risk mitigation firm. Active in the IETF and a frequent lecturer on topics such as PGP, S/MIME, VPNs and PKIs, Charles is also the author/creator of the industrys de facto "Cryptographic & Security Threats" reference chart, a poster-sized guide distributed to more than 100,000 individuals and organizations worldwide.
Source: "Cryptographic & Security Threats," © Charles Breed.