One of the criticisms frequently applied to S/MIME in mailing lists and
newsgroups is the size of the signatures. When there are lots of two
line messages with >4K signatures one can perhaps sympathize.
The vast bulk of the signature is the certificate chain: frequently
containing large legal statements and discliamers from the issuing CA.
Neither the v2 nor the v3 specs require that the whole chain is included
with each message: if the recipient already has the senders certificate.
The resultant "certificate-less" signature is much more compact.
However it is not always realistic in a mailing list or newsgroup to
assume that each subscriber has the senders certificate stored locally.
A manual solution to this problem would be to include a method in the
(non digital) signature with details of how to obtain the certificate:
as is done with PGP.
The process could be automated by including a user settable
authenticated attribute giving the receiving agent details of how to
obtain the certificate. Does such an attribute exist? If not what are
peoples feelings about adding one?
Steve.
--
************************************************************
* Dr Stephen N. Henson. *
* Freelance Cryptographic Consultant. *
* Email: shenson(_at_)bigfoot(_dot_)com *
* PGP key: http://www.drh-consultancy.demon.co.uk/key.asc *
************************************************************