4

Sometimes it can be advantageous to use existing trust relationships in one certification world - X.509 or PGP - to create trust in the other world. At the lowest level I can always take an X.509 cert - say, a self-signed SSL or code signing certificate - and provide a detached signature with my PGP key. Someone who trusts my PGP key can then trust the X.509 cert, after verifying the signature.

This involves some manual steps but it is less cumbersome and less error-prone than telling people to compare long key fingerprints digit by digit. If they don't reduce the detailed comparison to a quick glance or skip the check altogether...

Are there any tools that support cross-certification directly - for example storing an 'alien' certificate as a property of a 'native' certificate - or indirectly? Any interesting papers that explore such uses?

ATM I'm investigating the problem per sé but where the shoe actually hurts is that the extortionate prices for code signing and SSL certificates (server and client) leave private people and small businesses in the lurch.

DarthGizka
  • 371
  • 3
  • 9

1 Answers1

1

The trust systems of OpenPGP (web of trust) and X.509 (hierarchical) are not compatible, nor are the signatures (the "math behind" both of them in respect to the keys indeed would be, as long as the algorithms are defined for both, for example with RSA).

While you could easily map the hierarchical X.509 trust system to the more powerful (and complex) OpenPGP web of trust, the other way round is not possible for a general solution. What would be possible indeed is generating trusted X.509 certificates for all validated OpenPGP keys.

This would require proprietary software (in the sense that there is no standard defining how to do this) on each client computer that wants to validate, I'm not aware of any solution for this.

What is available is the Monkeysphere Firefox Add-On for validating against OpenPGP certificates in HTTPs, which tries to bring OpenPGP to the web -- but is propietary (with the same definition as above) anyway, and I've never seen it being used in the wild.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
  • One solution that I'm aware of is [Entrust Entelligence Messaging Server](https://www.entrust.com/wp-content/uploads/2013/05/DS_EMS_web_April2012.pdf). It sits on the mail server and acts as a translation layer between an x509 PKI inside the organization, and any of Secure PDF, Web-based secure email, S/MIME and OpenPGP for users outside. Though this solution is proprietary and certainly not free. – Mike Ounsworth Jun 11 '15 at 13:07