Eric Murray <ericm@lne.com> writes:

Additionally, there is nothing that prevents one from issuing certs that can be used to sign other certs. Sure, there are key usage bits etc but its possible to ignore them. It should be possible to create a PGP style web of trust using X.509 certs, given an appropriate set of cert extensions.

I proposed some very simple additions to X.509 which would allow you to use the certs in the same way as PGP keys a year or two back. Unfortunately the PKIX WG chair is about as open to PGP-style additions to X.509 as some PGP people are towards S/MIME. (You can also do PGP using X.509 certs, I've been doing that for awhile just out of sheer bloody-mindedness :-). Peter.