RE: [Full-Disclosure] PGP vs. certificate from Verisign

From: Daniel Tams (
Date: 05/11/03

  • Next message: yossarian: "Re: [Full-Disclosure] PGP vs. certificate from Verisign"
    Date: 11 May 2003 00:00:33 +0200

    Yes, they still offer the free certificate. I have one myself. Here is a writeup on how you can use
    that free certificate to even sign your Java apps.

    It is very annoying however that only very few developers properly sign
    their public keys/certtificates. Most just self-sign it. This is the
    case with X.509 as well as PGP. Whether you use PGP or X.509 you should
    always make sure it is signed by someone else, preferrably someone
    trusted, otherwise the whole idea goes down the sink as any script
    kiddie could create a public key/certificate with your name and e-mail
    address on it. The hard part is getting others to vouch for its
    authenticity. At some computer fairs you will find a booth where you can
    get your public PGP key signed by a trusted authority (at the CeBit it's
    c't magazine).

    - Daniel

    On Fri, 2003-05-09 at 23:48, Evans, TJ (BearingPoint) wrote:
    > At one time, i.e. - don't know if it still the case - Thawte would
    issue a
    > "personal cert" free.
    > One advantage PGP has is the existing infrastructure for key
    > so that you do not necessarily need to have someone's public key (yet)
    > order to encrypt to them or verify their signature. If they have
    pushed it
    > out to the publicly accessible key-servers you can get it as needed.
    > again - it depends on what problem you are trying to solve and your
    > preferred method of doing so.
    > TJ

    Full-Disclosure - We believe in it.

  • Next message: yossarian: "Re: [Full-Disclosure] PGP vs. certificate from Verisign"