> ITU-T X.509 is a certificate standard and it is not a certificate > repository standard. So, I didn't understand > how PGP is able to use X.509? It may be correct that PGP uses LDAP > repositories for storage/retrieval > but X.509 integration is an unknown for me.
Most protocols, such as TLS (used for secure web connections) transmit the X.509-certificate in-band. In the beginning of the connections there is a small negotiation, where among other things, the server presents its X.509-certificate. I believe IPSec's key management component IKE does the same. X.509 certificates are however also most commonly stored in LDAP-directories. For instance, everyone who has an electronic ID card in Finland has their certificate not only on the card, but also in the ldap-directory ldap://ldap.fineid.fi/ with a web interface at http://www.fineid.fi/certsearch.asp. Protocols such as Wireless TLS for WAP make it so, that the client only instructs the server to fetch the certificate from the LDAP-directory giving it an LDAP URL. As for e-mail encryption a la S/MIME, I believe the latter is used, ie. an LDAP URL where the certificate can be found that is attached to all messages. -- Toni Heinonen, CISSP Teleware Oy +358 (40) 836 1815
