Alternatives to PGP
Although this chapter has focused on PGP, you should realize that other options are available to you. As we mentioned, systems that are similar to PGP exist, operating on a Public Key Infrastructure (PKI). Whereas PGP operates on a Web of Trust, the commercial PKI-based systems operate through Certificate Authorities (CAs).
The PGP Web of Trust distributes the responsibility of maintaining valid and legitimate public keys among the community of PGP users. This has advantages such as the freedom to change keys at will and the freedom to set up and use keys. The disadvantages of the Web of Trust model include the security problems that exist with distributed key management. It is not always easy to tell whether a person's public key is valid and current. Sometimes it takes an experienced PGP user to be able to look at a key and tell whether it is legitimate. An important point to remember is that just because a PGP public key is signed doesn't mean it is valid.
The commercial PKI-based systems take away these disadvantages and bring new ones. The CAs take on the responsibility of managing all public keys and ensuring that they are valid and current. This centralization adds more security to the exchange of public keys in some people's minds.
Several companies exist as central Certificate Authorities to offer, sell, and manage the digital certificates and infrastructure for individuals and companies to communicate securely. Some of the largest include the following:
Verisign Digital IDs (http://www.verisign.com/products/e-mail/index.html)
Thawte Personal Certificates (http://www.thawte.com/getinfo/products/personal/contents.html)
PGP and commercial PKI have traditionally represented two similar concepts that use two different systems to manage key exchange and secure communications. However, the creation of the OpenPGP Consortium is changing this, and the future will most likely see more PKI solutions based on the OpenPGP standard. In fact, PKI and PGP go hand in hand, as they always have.