On Fri, May 24, 2002 at 04:40:36PM -0700, Eric Murray wrote: > Additionally, there is nothing that prevents one from issuing certs > that can be used to sign other certs. Sure, there are key usage bits > etc but its possible to ignore them.
The S/MIME aware MUAs do not ignore the trust delegation bit. Therefore you can not usefully sign other certs with a user grade certificate from verisign et al. If you make your own CA key (with the trust delegation bit set) and self-sign it, S/MIME aware MUAs will also flag signatures made with it as invalid signatures because your self-signed "CA" key is not signed by a CA in the default trusted CA key database. > It should be possible to create a PGP style web of trust using X.509 > certs, given an appropriate set of cert extensions. If Peter can > put a .gif of his cat in an X.509 cert there's no reason someone > couldn't represent a web of trust in it. While it is true that you can extend X.509v3 I don't see how useful it would be to add a WoT extension until it got widely deployed. Recipient MUAs will at best ignore your extensions, and worse will fail on them until support for such an extension is deployed. I view the chances of such an extension getting deployed as close to nil. The S/MIME MUA / PKI library / CA cartel has a financial incentive to not deploy it -- as they view it as competition to the CAs business. Adam