So what are the weaknesses of these two systems in terms of managing, distributing and validating digital certificates? Well, while PKI can identify Web servers and allow transactions over SSL, it lacks large-scale acceptance because the cost and registration process involved with "supplying and providing" client-side certificates is burdensome. Additionally, the management and revocation of certificates requires a highly complicated structure, not to mention scalability brings additional costs of computer resources and help desk support. On the other hand, PGP has flourished for many years without the need to establish a centralized CA because OpenPGP makes use of the concept of trusted introducers, allowing anyone to sign anyone else's public key. This decentralized approach removes the cost of CAs from the delivery process, but still requires key servers to act as public repositories so that everyone can reference users' public keys.
Most modern applications well-manage X.509 digital certificates used by PKI systems, even when it comes to the less experienced user. Non-interoperability is becoming less of a problem, too. There are plug-ins implementing PGP functionality for the more popular email applications, such as Microsoft Outlook, but a plug-in is always susceptible to implementation errors.
Although neither PKI nor OpenPGP are perfect, (neither arrangement has economically solved the problem of user certificate mobility and security, for example), the programs provide defense to original Internet protocols that don't have built-in security. They also ensure secure data and message sharing. When it comes to sensitive data, not using either is always going to be a risk.
This was first published in September 2006