Manage Learn to apply best practices and optimize your operations.

The strengths and weaknesses of PKI and PGP systems

PKI and OpenPGP can enhance the security of your data, but these services differ in how they manage digital certificates. SearchSecurity.com expert Michael Cobb explains the distinct strengths and weaknesses of each program.

What is the logistic weakness of PGP and PKI systems?

Before I answer this question, let's review some definitions so that we're clear about what weaknesses we're looking at. PKI, or public key infrastructure, is a framework for services that provide for the generation, distribution, control and accounting of public key certificates. This public key system ensures secure user authentication, network traffic encryption, data integrity and non-repudiation. PGP meanwhile is an application actually derived from the IETF open standard OpenPGP. Like PKI systems, OpenPGP uses both public-key cryptography and symmetric key cryptography, but the program differs in how it vets and binds public keys to user identities. Unlike PKI arrangements, OpenPGP is based on a web of trust rather than certificate authorities (CA). OpenPGP allows users to choose who they trust, whereas users in a PKI system defer to a trusted CA. Commercial CAs, however, need to ensure that their own certificate is incorporated into the major browsers and messaging applications in order to provide this chain of trust. Finally the definition of logistics is the activity of supplying or providing something, and in the case of OpenPGP and PKI, this would be considered the efficient management, distribution and validation of a public key contained within a user's certificate.

So what are the weaknesses of these two systems in terms of managing, distributing and validating digital certificates? Well, while PKI can identify Web servers and allow transactions over SSL, it lacks large-scale acceptance because the cost and registration process involved with "supplying and providing" client-side certificates is burdensome. Additionally, the management and revocation of certificates requires a highly complicated structure, not to mention scalability brings additional costs of computer resources and help desk support. On the other hand, PGP has flourished for many years without the need to establish a centralized CA because OpenPGP makes use of the concept of trusted introducers, allowing anyone to sign anyone else's public key. This decentralized approach removes the cost of CAs from the delivery process, but still requires key servers to act as public repositories so that everyone can reference users' public keys.

Most modern applications well-manage X.509 digital certificates used by PKI systems, even when it comes to the less experienced user. Non-interoperability is becoming less of a problem, too. There are plug-ins implementing PGP functionality for the more popular email applications, such as Microsoft Outlook, but a plug-in is always susceptible to implementation errors.

Although neither PKI nor OpenPGP are perfect, (neither arrangement has economically solved the problem of user certificate mobility and security, for example), the programs provide defense to original Internet protocols that don't have built-in security. They also ensure secure data and message sharing. When it comes to sensitive data, not using either is always going to be a risk.

This was last published in September 2006

Dig Deeper on PKI and digital certificates