I absolutely agree.
I'm working away from the office, and my connectivity is limited or
else I would check the CMP and PKIX Part 1-7 draft.
Obviously S/MIME has to put the location of the certificate
somewhere associated with the digital signature, and I would suggest CMP,
in hopes that other protocols will use the same mechanism.
However, we also need the same mechanism, using precisely
the same attribute syntax and OID, within the certificate itself,
just as CRLDistributionPoint was provided.
Unless this has crept in while I wasn't looking, I'd suggest that you,
David, reprise this discusssion on both the PKIX and Federal PKI
list, and that we try to define and adopt such an attribute as quickly as
possible.
I'm not in as much of a hurry to gt this in S/MIME as I am to include it in
PKIX.
What would the syntax of the URI look like for an LDAP query?
The others I know.
Bob
From: Dr Stephen Henson <shenson(_at_)bigfoot(_dot_)com>
In the minimal case the user's certificate will not be provided. Also
since some of the CA's include the large disclaimers in the user
certificate this wont always help.
I agree with Steve. The issuer name and serial number contained in
SignerInfo is sufficient to retrieve the user's certificate from
a repository. If there were a global repository nothing more would
be needed. However, there isn't.
It would be useful to define an S/MIME "subjectCertRepository"
attribute: a URI with syntax IA5String (as used in GeneralName).
This attribute, along with issuer/serial and a suitable amount of
handwaving would allow the user's cert to be retrieved using
LDAP, ftp, http, etc.