Eric:
I guess that we will have to determine whether or not the CA performed
public key validation prior to certification from the certificate policy
OID. This is not a very nice answer, but I cannot come up with another
answer.
Can you produce some proposed text for this? Is there a fixed set of
OIDs that are appropriate or do you need an ever-growing lookup table?
For now, I think that we should simply say that the public key validation
does not need to be performed by the end entity if the CA did the
validation at the time the public key was certified. I think that the PKIX
group should propose a mechanism for indicaing that validation was done in
a certificate. Once that is specified, we can duplicate the information in
the S/MIME documents before DRAFT standard.
Russ