X.509 Certificates vs. Webs Of Trust (e.g., PGP, SSH)

Tuesday, June 07, 2011

Jonathan Lampe


Shortly after Symantec acquired PGP Corp, I was involved in a debate about whether or not PKI implementations that depended on X.509 certificates were "winning" against PKI implementations that use "web of trust" (WOT). 

After all, much of PGP's original appeal, especially with underground communities, was that it was based on a model of WOT rather than delegated authority.

The argument either ran that WOT was hot because its champion company was just acquired for $300M, or that WOT was cold because its champion company had just been bought out of the market.

My belief is that WOT is fading, not just because PGP Corp was acquired, but also because PGP Corp itself was making or had made several technology decisions to integrate X.509 into PGP encryption and signing processes and even to act as an X.509 certificate authority.

And it's not just PGP Corp; many commercial PGP vendors have concentrated on building a key management framework to make WOT less about individual- or machine-specific trust and more about lighter administration loads through delegated trust - a core feature that X.509 certificate-based models typically bring to the table.

And it's even not just PGP encryption: another popular WOT technology is SSH, where individual clients trust individual server keys in local stores. 

In my years as a file transfer product manager I heard from many customers and prospects who wanted me to integrate X.509 certificate authentication into my SSH protocol support. (See Tectia SSH for an example of a product that already does this.)

Again, these requests came in to specifically address the key management issues common to plain old WOT.

Finally, there are recent issues with eDiscovery. If you are using pure WOT technologies to transfer files, only the individuals at the endpoints can see the data (unless special provisions are made to also make the eDiscovery process a recipient, etc.). 

However, if you are a CA that issues your users' certificates, the opportunity is there to retain a secure copy of your users' keys and to  use those later to decrypt and read sensitive communications as necessary.

In short, my view is that X.509 certificates ARE "winning" against webs of trust, at least in business environments, and that WOT's security role will mainly be reduced to two niches:

  • Individual people who want to share sensitive information, only with each other, and have no eDiscovery requirements  (this is close to PGP's original purpose)
  • Remote console sessions to key equipment in small businesses (SSH shines here today, but I still don't see much use of SSH-based mutual authentication in larger companies)
What do you think about X.509 vs. WOT?  
Possibly Related Articles:
Information Security
Encryption SSH PGP E-Discovery X.509 Certificates WOT
Post Rating I Like this!
Stephen Gornick Someone doesn't know about the Bitcoin OTC marketplace.

In the past few months nearly 1,000 users have registered their GPG keys with the service and have used them for over 5,000 actions (trust ratings).


Jonathan Lampe I've played with BitCoin but I hadn't seen the Bitcoin OTC marketplace. What makes that more than a standard web of trust is the rating system. By centralizing ratings, BitCoin OTC is performing one of the functions that an X.509-based certificate authority would fill; a high rating takes the role of a "signed PGP key" if you will.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.