Re: GnuPG vs Digital Certificates?

[Francisco Andrades <fandrades () nextj com>]

Hi,

Both techniques (GPG/PGP and Digital Certificates) have it's own uses, 
advantages and disadvantages, but when creating a standard for use 
inside a organization Digital Certificates provide more flexibility:

When using a GPG/PGP system you choose to trust individuals, represented 
by their GPG/PGP public key. This is great for unorganized 
communications on the internet, but when working inside a organization 
Digital Certificates provide additional advantages because you choose tu 
trust only the Certificate Signing authority. If you create your own 
Certification Authority for your organization you can separate different 
divisions with different certificate chains. That provides the ability 
to choose to trust and entire division or department given their 
certification chain.

With Digital Certificates you also have the advantage that each user 
must trust only the Cerification Authority and it's CRL. If a whole 
division or department leaves (or is compromised and the private keys 
are no longer trusted) you just revoke that division's root certificate, 
automatically rendering invalid all child certificates.

You must know that not all (and I believe this is almost none) 
implementations of Digital Certificates for encrypted communications use 
all the checks available (CRL checks for all certificates on the chain, 
digital signature for all certificates on the chain, validity dates for 
all certificates on the chain, Common Name for all certificates, use for 
all certificates, etc), so it is up to you to either perform them or 
choose a solution that enforces the checks.

GnuPG is a great tool, but it's not the best tool when working inside an 
organization where you should have tight controls over the system.

Mark G. Spencer wrote:
> I was hoping someone could explain the theoretical and practical issues
> involved between using public/private keys with GnuPG and digital
> certificates from a vendor like Thawte?
>
> I've noticed many applications (IM, email, etc.) can use GnuPG or digital
> certificates and I would like to standardize if possible on the solution
> that makes most sense for my coworkers.
>
> Thanks!
>
> Mark

--
Francisco Andrades Grassi
www.nextj.com
Tlf: +58-414-125-7415


---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------