From: "Bonatti Chris" <bonattic(_at_)ieca(_dot_)com>
This is a good approach, although by itself it does not address
the totality of the e-mail requirement. You still need some way
to bind the e-mail address to the key. Whatever the principal
is, this is a function that's got no better place to roost than
the public key infrastructure.
Yes. See the SPKI requirements.
I think this is a great way to look at it. Using the public
key, its hash or fingerprint as *the* DN allows all sorts of
important functionality like authorisations. E-mail is probably
the most widespread use of PGP at the moment, but can be
considered separately. E-mail users in effect can state to the
world (via keyservers) that their public key 'speaks' for a
certain address (to use SPKI lingo). So, if a key is to be used
for e-mail, it must contain such a 'tag' with an e-mail
address. If not, no problem.
Unless I misunderstand you, the e-mail address is not then bound
into the certificate structure.
You misunderstand. When used for email, the email address is signed
as part of the certificate.
The email address is a "tag", signed by the principal (and other
introducers). Think of it as a URI. It says where to look for the key.
WSimpson(_at_)UMich(_dot_)edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
BSimpson(_at_)MorningStar(_dot_)com
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2