Seconded. A decent X509 key is little if any different in practical terms from a PGP key - both use DH or RSA, both support ~128 bit crypto (well, pgp gained 256 bit AES at one point, but I am sure SSL will adopt it soon) and because all major web browsers support HTTPS (which obviously is effectively the same as X509 secure mail from a crypto standpoint - the certs can even serve double duty) then the little bit of additional coding to use the browser crypto in bundled email clients (oe or ns-mail for example) is small.
The major difference between X509 and pgp is authentication. pgp relies on the user to make his own trust decisions, while X509 *requires* you to place absolute trust in a Certification Authority, who may (but probably isn't) worth that trust. I don't mind this for HTTPS (as I dont have any way to verify a website personally) but object to it in my email - I dont' want to trust someone because they convinced someone over the phone in america they were who they said they were - I want to trust someone because I checked the key myself - and only then.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/95/15813#15813