RE: PGP vs. certificate from Verisign

[Daniel Tams <dantams () myrealbox com>]

Yes, they still offer the free certificate. I have one myself. Here
http://www.dallaway.com/acad/webstart/ is a writeup on how you can use
that free certificate to even sign your Java apps. 

It is very annoying however that only very few developers properly sign
their public keys/certtificates. Most just self-sign it. This is the
case with X.509 as well as PGP. Whether you use PGP or X.509 you should
always make sure it is signed by someone else, preferrably someone
trusted, otherwise the whole idea goes down the sink as any script
kiddie could create a public key/certificate with your name and e-mail
address on it. The hard part is getting others to vouch for its
authenticity. At some computer fairs you will find a booth where you can
get your public PGP key signed by a trusted authority (at the CeBit it's
c't magazine).

- Daniel

On Fri, 2003-05-09 at 23:48, Evans, TJ (BearingPoint) wrote:
> At one time, i.e. - don't know if it still the case - Thawte would
issue a
> "personal cert" free.  
>
> One advantage PGP has is the existing infrastructure for key
distribution,
> so that you do not necessarily need to have someone's public key (yet)
in
> order to encrypt to them or verify their signature.  If they have
pushed it
> out to the publicly accessible key-servers you can get it as needed. 
But
> again - it depends on what problem you are trying to solve and your
> preferred method of doing so.
>
>
> TJ

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html