Eric Murray <[EMAIL PROTECTED]> writes: >Additionally, there is nothing that prevents one from issuing certs that can >be used to sign other certs. Sure, there are key usage bits etc but its >possible to ignore them. It should be possible to create a PGP style web of >trust using X.509 certs, given an appropriate set of cert extensions.
I proposed some very simple additions to X.509 which would allow you to use the certs in the same way as PGP keys a year or two back. Unfortunately the PKIX WG chair is about as open to PGP-style additions to X.509 as some PGP people are towards S/MIME. (You can also do PGP using X.509 certs, I've been doing that for awhile just out of sheer bloody-mindedness :-). Peter.