On Fri, May 24, 2002 at 04:40:36PM -0700, Eric Murray wrote:
Additionally, there is nothing that prevents one from issuing certs that can be used to sign other certs. Sure, there are key usage bits etc but its possible to ignore them.
The S/MIME aware MUAs do not ignore the trust delegation bit. Therefore you can not usefully sign other certs with a user grade certificate from verisign et al. If you make your own CA key (with the trust delegation bit set) and self-sign it, S/MIME aware MUAs will also flag signatures made with it as invalid signatures because your self-signed "CA" key is not signed by a CA in the default trusted CA key database.
It should be possible to create a PGP style web of trust using X.509 certs, given an appropriate set of cert extensions. If Peter can put a .gif of his cat in an X.509 cert there's no reason someone couldn't represent a web of trust in it.
While it is true that you can extend X.509v3 I don't see how useful it would be to add a WoT extension until it got widely deployed. Recipient MUAs will at best ignore your extensions, and worse will fail on them until support for such an extension is deployed. I view the chances of such an extension getting deployed as close to nil. The S/MIME MUA / PKI library / CA cartel has a financial incentive to not deploy it -- as they view it as competition to the CAs business. Adam