[64] in cryptography@c2.net mail archive
Re: S\MIME
daemon@ATHENA.MIT.EDU (Patrick Richard)
Fri Jan 17 00:10:09 1997
Date: Thu, 16 Jan 1997 17:18:45 -0800 (PST)
From: Patrick Richard <patr@xcert.com>
To: Derek Atkins <warlord@mit.edu>
cc: "Arnold G. Reinhold" <reinhold@world.std.com>,
Michael C Taylor <mctaylor@fractal.mta.ca>, cryptography@c2.net
In-Reply-To: <sjm4tghcjt0.fsf@charon.MIT.EDU>
On 16 Jan 1997, Derek Atkins wrote:
> Date: 16 Jan 1997 17:54:51 -0500
> From: Derek Atkins <warlord@MIT.EDU>
> To: Patrick Richard <patr@xcert.com>
> Cc: "Arnold G. Reinhold" <reinhold@world.std.com>,
> Michael C Taylor <mctaylor@fractal.mta.ca>, cryptography@c2.net
> Subject: Re: S\MIME
>
> Patrick Richard <patr@xcert.com> writes:
>
> > Anyways, you can support both X.509 and PGP all at the same time if your
> > directory mutates the public key into both formats.
>
> The problem with doing this is that you lose the X.509 and/or PGP
> certification when you switch back-and-forth. If the key is natively
> X.509, there are no PGP signatures on it. If it is natively PGP,
> there are no X.509 signatures.
>
> So, while you can swap back-and-forth to *use* the key, doing this at
> the directory level is a Bad Idea (TM). You need to be able to verify
> the key you receive from the directory.
No, perhaps you are misunderstanding what I mean.
What we have is the capability to generate and store signed X.509 and signed
PGP public keys, both of which contain the same RSA public key.
They are both signed, and both verifyable.
So you can actually use your CA as a PGP signing service as well, and
have both keys stored in the directory so that you can use either
for whichever app you feel like using at the time...
This enables you to use the LDAP server as both a CA (to check CRLs, to
get people's X509's) as well as a PGP public key server all as one,
unified directory service.
-Pat
> > -derek
>
--
Pat Richard / patr@xcert.com
----
Run your own CA and secure your Virtual Community:
http://www.xcert.com
