XML Certificates

David Brownell david-b at pacbell.net
Fri Jan 21 19:30:11 GMT 2000


"Steven Livingstone, ITS, SENM" wrote:
> 
> Anybody doing much work with XML Certificates for security??

I'd certainly hope not!

There are roughly two standards that matter today:

	- X.509, as issued by Verisign (99% worldwide monopoly
	  in the non-corporate space, if the Thawte acquisition
	  goes through).  Binary, baroque syntax, overfeatured.

	- OpenPGP, which doesn't have a "BigBrother" hook (anyone
	  can cut a cert, you don't punt the "do I trust XXX"
	  issue by trusting some Big Brother).  Both ASCII and
	  binary formats exist; simpler.

Public Key Infrastructure is a big enough problem that IMHO it's
really not worth tweaking low level standards.  The problems that
need solving are at the level of global infrastructure deployment,
trustability, and (especially) usability.  XML can't help there.

For OpenPGP info/source/... I'd suggest http://www.gnupg.org for
info.  It interoperates with PGP 5.x and later.

What's lacking is commercial support for OpenPGP; licensing deals
with Verisign have ensured that X.509 availability skyrocketed
despite its problems.  Browsers have X.509 for SSL support (and
S/MIME), few as yet (even Mozilla) support OpenPGP.

- Dave

xml-dev: A list for W3C XML Developers. To post, mailto:xml-dev at ic.ac.uk
Archived as: http://www.lists.ic.ac.uk/hypermail/xml-dev/ or CD-ROM/ISBN 981-02-3594-1
Unsubscribe by posting to majordom at ic.ac.uk the message
unsubscribe xml-dev  (or)
unsubscribe xml-dev your-subscribed-email at your-subscribed-address

Please note: New list subscriptions now closed in preparation for transfer to OASIS.





More information about the Xml-dev mailing list