Steve:
The PKIX Working Group is responsible for the certificate. They are
addressing certificate extensions that provide some of the stuff you are
talking about. Thus, if the user's certificate is provided, it should be
enough to get the rest of the certificates needed to get the whole chain.
Russ
At 03:26 AM 4/7/98 +0100, Dr Stephen Henson wrote:
One of the criticisms frequently applied to S/MIME in mailing lists and
newsgroups is the size of the signatures. When there are lots of two
line messages with >4K signatures one can perhaps sympathize.
The vast bulk of the signature is the certificate chain: frequently
containing large legal statements and discliamers from the issuing CA.
Neither the v2 nor the v3 specs require that the whole chain is included
with each message: if the recipient already has the senders certificate.
The resultant "certificate-less" signature is much more compact.
However it is not always realistic in a mailing list or newsgroup to
assume that each subscriber has the senders certificate stored locally.
A manual solution to this problem would be to include a method in the
(non digital) signature with details of how to obtain the certificate:
as is done with PGP.
The process could be automated by including a user settable
authenticated attribute giving the receiving agent details of how to
obtain the certificate. Does such an attribute exist? If not what are
peoples feelings about adding one?
Steve.
--
************************************************************
* Dr Stephen N. Henson. *
* Freelance Cryptographic Consultant. *
* Email: shenson(_at_)bigfoot(_dot_)com *
* PGP key: http://www.drh-consultancy.demon.co.uk/key.asc *
************************************************************