Russ Housley wrote:
The PKIX Working Group is responsible for the certificate. They are
addressing certificate extensions that provide some of the stuff you are
talking about. Thus, if the user's certificate is provided, it should be
enough to get the rest of the certificates needed to get the whole chain.
In the minimal case the user's certificate will not be provided. Also
since some of the CA's include the large disclaimers in the user
certificate this wont always help.
Equally certificate extensions are all very well, but you are then at
the mercy of the individual CA to support them.
The problem occurs quite often. Frequent flames in mailing lists or
newsgroups about wasted bandwidth discourage new users from signing mail
or encourage them to use PGP instead of S/MIME.
Dr Stephen N. Henson.
Freelance Cryptographic Consultant.
PGP key: http://www.drh-consultancy.demon.co.uk/key.asc