Russ Housley <housley(_at_)spyrus(_dot_)com> wrote:
Support for PGP requires a bit more than this. You also need to carry
non-X.509 PGP certificates. CMS does not permit this.
The need to lug armfuls of certs around with you wherever you go is an
artifact of X.509, not something required by PGP. All that PGP (and
SPKI) require is a way to identify the key used to sign or encrypt data
(the PGP native format doesn't even provide a way to communicate certs
a la CMS's CertificateSet, so it's really not an issue).
(To put it another way, given support for PGP and SPKI key ID's in the
xxxInfo's, I can have a fully compatible implementation running in an
afternoon).
Peter.