************************************************** **********************
**** This is a repost of an old question being asked back in 2001 *****
************************************************** **********************
**** the person did not recived any answers to his post. *****
**** because i have the same questions i am reposting (c & p) his. *****
**** thank you for your comments *****
************************************************** **********************

From: Chris L (chris@ooc2000.com)
Subject: Newbie - basic Cert Q's
This is the only article in this thread
View: Original Format
Newsgroups: comp.security.pgp.discuss
Date: 2001-03-22 08:11:10 PST

Howdy all. I'm a C/Java/PHP mutt programmer, and I have to do some
PGP stuff. I've been doing some reading the last several days. One
thing that has me quite confused is certificates, particularly the
realpolitik of how to get them, and which kind to get.

I think I understand that a certificate is used instead of a public
key - it's sort of an 'official' public key. (In OOPese. certificates
ere a subclass of public key.) So in any instance where I would
provide a public key, I instead provide a certificate. Further, there
are (at least?) two kinds of certificates: PGP, and X.509.

Okay, I'm trying to develop an online document exchange system, where
all kinds of users upload documents, and have the option of signing
them (or maybe they get signed automatically - who knows). To sign a
document, all I need is a PGP keypair (I guess I'd write an ActiveX or
something to make the signing happen on the clientside - obviously I
can't be storing keypairs centrally). However, I don't really want
untrusted public keys floating around; I'd like to user certificates
instead. I can think of three options:

1) Use PGP certificates, which are free
2) Use X.509 certs from Verisign or somebody
3) Become a CA, and issue my own X.509 certs.

In some ways #1 and #3 are the same thing. I have to figure out how to
actually create and issue the certs, plus I have to think of a way to
actually make sure they're meaningful - if I just have a form to fill
out that sends you your cert, then I have an 'official' public key
that isn't any more authentic than a normal public key. I don't seem
to read anything about PGP certs except in the How PGP Works doc, so
are they never really used? With #2, the problem would be the
Verisign's certs aren't cheap (maybe I could make some sort of bulk
arrangement), and I have no idea which ones to buy. Their site has SSL
certs, Authenticode certs, Netscape certs, Email certs - I'm lost!

More mysteries - how can I turn an existing public key into a
certificate? If I buy a cert from Verisign, I don't really want a
whole new public key, I just want to wrap my existing key. Or is a
certificate just a 'wrapper'? Also, although I read things like 'sign
the message with your certificate', my guess is that this is
inaccurate, since you wouldn't sign something with your public key. So
what really happens? Does your cert somehow go on your keyring, and so
when you sign a document, both your private key and cert are used to
create the signature? And what if I decide to be a CA and issue
X.509's - but I also want to accept Verisign and other X.509s? What
then?

An interesting world, no doubt. Thanks for any help,
Chris

P.S. Eek - this got pretty long. Sorry.