Shortly after Symantec acquired PGP Corp (see related post), I was involved in a debate about whether or not PKI implementations that depended on X.509 certificates were “winning” against PKI implementations that use “web of trust” (WOT). After all, much of PGP’s original appeal, especially with underground communities, was that it was based on a model of WOT rather than delegated authority.
The argument either ran that WOT was “hot”, because its champion company was just acquired for $300M, or that WOT was “cold”, because its champion company had just been bought out of the market.
My belief is that WOT is fading, not just because PGP Corp was acquired, but also because PGP Corp itself was making or had made several technology decisions to integrate X.509 into PGP encryption and signing processes and even to act as an X.509 certificate authority.
And it’s not just PGP Corp; many commercial PGP vendors have concentrated on building a key management framework to make WOT less about individual- or machine-specific trust and more about lighter administration loads through delegated trust – a core feature that X.509 certificate-based models typically bring to the table.
And it’s even not just PGP encryption: another popular WOT technology is SSH, where individual clients trust individual server keys in local stores. We have already heard from a handful of customers and prospects who would like us to integrate X.509 certificate authentication into our SSH protocol support (and some competitors already have), again to address the key management issues common to plain old WOT.
Finally, there are recent issues with eDiscovery. If you’re using pure WOT technologies to transfer files, only the individuals at the endpoints can see the data (unless special provisions are made to also make the eDiscovery process a recipient, etc.). However, if you’re a CA that’s issuing your users keys, the opportunity is there to retain a secure copy of your user’s keys and to use those later to decrypt and read sensitive communications as necessary.
In short, my view is that X.509 certificates ARE “winning” against webs of trust, at least in business environments, and that WOT’s security role will mainly be reduced to two niches:
- Individual people who want to share sensitive information, only with each other, and have no eDiscovery requirements (this is close to PGP’s original purpose)
- Remote console sessions to key equipment in small businesses (SSH shines here today, but I still don’t see much use of SSH-based mutual authentication in larger companies)
What are your thoughts on this ?