Shortly after Symantec acquired PGP Corp, I was involved in a debate about whether or not PKI implementations that depended on X.509 certificates were "winning" against PKI implementations that use "web of trust" (WOT).
After all, much of PGP's original appeal, especially with underground communities, was that it was based on a model of WOT rather than delegated authority.
The argument either ran that WOT was hot because its champion company was just acquired for $300M, or that WOT was cold because its champion company had just been bought out of the market.
My belief is that WOT is fading, not just because PGP Corp was acquired, but also because PGP Corp itself was making or had made several technology decisions to integrate X.509 into PGP encryption and signing processes and even to act as an X.509 certificate authority.
And it's not just PGP Corp; many commercial PGP vendors have concentrated on building a key management framework to make WOT less about individual- or machine-specific trust and more about lighter administration loads through delegated trust - a core feature that X.509 certificate-based models typically bring to the table.
And it's even not just PGP encryption: another popular WOT technology is SSH, where individual clients trust individual server keys in local stores.
In my years as a file transfer product manager I heard from many customers and prospects who wanted me to integrate X.509 certificate authentication into my SSH protocol support. (See Tectia SSH for an example of a product that already does this.)
Again, these requests came in to specifically address the key management issues common to plain old WOT.
Finally, there are recent issues with eDiscovery. If you are using pure WOT technologies to transfer files, only the individuals at the endpoints can see the data (unless special provisions are made to also make the eDiscovery process a recipient, etc.).
However, if you are a CA that issues your users' certificates, the opportunity is there to retain a secure copy of your users' keys and to use those later to decrypt and read sensitive communications as necessary.
In short, my view is that X.509 certificates ARE "winning" against webs of trust, at least in business environments, and that WOT's security role will mainly be reduced to two niches:
- Individual people who want to share sensitive information, only with each other, and have no eDiscovery requirements (this is close to PGP's original purpose)
- Remote console sessions to key equipment in small businesses (SSH shines here today, but I still don't see much use of SSH-based mutual authentication in larger companies)
