Overview of Certification Systems: X.509, CA, PGP and SKIP

Cryptography and certification are considered necessary Internet features and must be used together, for example in ecommerce. This work deals with certification issues and reviews the three most common methods in use today, which are based on X.509 Certificates and Certification Authorities (CAs), PGP and, SKIP. These methods are respectively classified as directory, referral and collaborative based. For two parties in a dialogue the three methods are further classified as extrinsic, because they depend on references which are outside the scope of the dialogue. A series of conceptual, legal and implementation flaws are catalogued for each case, emphasizing X.509 and CAs, which helps to provide users with safety guidelines to be used when resolving certification issues. Governmental initiatives introducing Internet regulations on certification, such as by TTP, are also discussed with their pros and cons regarding security and privacy. Throughout, the paper stresses the basic paradox of security versus privacy when dealing with extrinsic certification systems, whether with X.509 or in combination with PGP. This paper has benefited from the feedback of the Internet community and its expanded on-line version has received more than 50,000 Internet visitors from more than 20,000 unique Internet sites, in 1997/98. * The author is with Novaware, Av. Albert Einstein 1301, SOFTEX/UNICAMP Campinas – SP Brazil; http://novaware.cps.softex.br Overview of Certification Systems – E. Gerck, 1998. 2 Overview of Certification Systems: X.509, CA, PGP and SKIP E. Gerck [email protected] MCG Meta-Certificate Group http://www.mcg.org.br