[63] in cryptography@c2.net mail archive
Re: S\MIME
daemon@ATHENA.MIT.EDU (Dan Geer)
Fri Jan 17 00:10:00 1997
To: Derek Atkins <warlord@mit.edu>
cc: cryptography@c2.net
In-reply-to: Your message of "16 Jan 1997 17:54:51 EST."
<sjm4tghcjt0.fsf@charon.MIT.EDU>
Date: Thu, 16 Jan 1997 20:23:59 -0500
From: Dan Geer <geer@OpenMarket.com>
Derek, in writing
Patrick Richard <patr@xcert.com> writes:
> Anyways, you can support both X.509 and PGP all at the same time if your
> directory mutates the public key into both formats.
The problem with doing this is that you lose the X.509 and/or PGP
certification when you switch back-and-forth. If the key is natively
X.509, there are no PGP signatures on it. If it is natively PGP,
there are no X.509 signatures.
So, while you can swap back-and-forth to *use* the key, doing this at
the directory level is a Bad Idea (TM). You need to be able to verify
the key you receive from the directory.
is right, but I am just sitting here thinking
whether I have a convincing argument why I don't
want the same key pair to be *both* my PGP set
and my X.509 set.
My intuition says that it would be Dumb(SM) to
have two signed cryptographic identifiers with
different revocation policies, but that is as far
as my tired brain can go just now.
Hmmmm...zzzzz
--dan
