-----BEGIN PGP SIGNED MESSAGE-----
Chris Bonatti wrote:
Unless I misunderstand you, the e-mail address is not then bound
into the certificate structure. I'm reading out of what
your last couple of messages that we would submit the e-mail
address as an submission argument to the keyserver, but that
this would be absent from the certificate.
Sorry, I didn't answer this explicitly enough. I did not mean that
e-mail addresses should not be included in certificates. I was merely
agreeing with (I think) Charles Breed or Jon Callas that a certificate
shouldn't HAVE to include an address. This would make it difficult for a
system-wide distributed keyserver scheme as you then need some other
method to look up a key. An e-mail only keyserver scheme is fine,
however; keys which are intended for use by e-mail can be certified, and
looked up using their address as a hint where to go for the lookup. I'm
not sure if there's enormous need for keyservers in areas not related to
the DNS.
Rik Drummond wrote:
The email address must be tightly bound in the cert so that spoofing
is not possible.
Which is what DNSSEC would allow; the domain of the e-mail address would
certify (not directly within the certificate, but by providing the key
as a trusted domain) that it at least believes the stated key belongs to
the stated address. Which is a good start, and perhaps all that is
necessary for the majority of correspondence between strangers.
Ian.
-----BEGIN PGP SIGNATURE-----
Version: Cryptix 2.21
iQCVAgUANCk2G5pi0bQULdFRAQF4IAP+KbjSUlx2lOE9wlOnb2Sx8gkXRQPo5/6iFalVaZwVDDvI
xwnfHSz4Obck4eTtuaIiFLNH+V5Z5U3VHJsguIjSSJg/mZIK8htFPXlPCR5Uj7GoUwGVmc9dUn/j
PLYoB8MKobfsOrMXAbxUwYfDX5i+DrXbFJ8YaQK7N5xH6Hf3YF8=
=A5uj
-----END PGP SIGNATURE-----