Penguin

X509 is a standard for defining a DigitalCertificate. It is the signing system used for SSL. The X509 PublicKey security model is almost completely incompatible with the OpenPGP PublicKey security model, but they serve very different purposes. X509 is heirarchical and commerce-oriented, whereas PGP/GPG is massively distributed, very fault tolerant and works using a WebOfTrust.

Some useful documentation on X509 certificates: http://java.sun.com/j2se/1.4.2/docs/guide/security/cert3.html

Some information about how to implement X509: http://www.cs.auckland.ac.nz/pgut001/pubs/x509guide.txt This is also just an interesting read to find out why X509 is such a bizarre standard

Things that use X509 certificates:

  • Various code-signing schemes, such as signed Java ARchives, and Microsoft Authenticode (because these things are built upon SSL).
  • Various secure E-Mail standards, such as PEM and S/MIME (S/MIME can also use OpenPGP).
  • E-Commerce protocols, such as SET.
  • MicrosoftWindows

Why you won't find much X509 information on the InterNet

The X509 standard was developed by the ITU-T which changes money for version of the standard, rather than making them freely avaliable over the InterNet. This is not a problem if you work for a big telecommunications company which has the resources to get you a copy of the standard, but can be a significant barrier to entry for smaller players and OpenSource developers. This may be a reason for the lack of X509 support in the open source world, expecially compared to things like OpenPGP and other freely avaliable standards.

Breaking news! the ITU is allowing you to download any 3 specifications per year for free. Which is great since things like X509 rely on other standards, but by 2033 you may have enough information! :)


CategoryStandards