Steve K??:
Except by the tone of the answer it is hard to tell which Steve it
is since the header gives no clues. For your information, I did go
back to 3/25/92 to read all pem-dev messages prior to making even the
slightest peep on this conference as that was all that was available
on the host that I am using. This entire effort seems
prejudiced against new members, new ideas or new ways of viewing
things that are, admittedly, old problems. Perhaps that should
say something about the results of your efforts. If PEM is to succeed,
there is a certain amount of proselytizing that is required. Many
standardization efforts are overwhelmed just at that point where
the standard becomes popular and more people are interested in it and
(more importantly) affected by it. If that is a problem, address it
now, create some other forum for the novice, or take some action that
will give new participants a place to learn to love PEM.
Looking at a thing (DN) which contains a country, city, state, or
company is not my name nor is it me, no matter how many times you say
it or which standard says it. Any damnfool can look at a snailmail
envelope and determine which is the name and which is the address.
I defy anyone to look at some of the garbage that comes over the wire
to me and make a clear distinction between the name(s) and the
address(es). After >5 years I would hope that someone in this effort
could distinguish between a name and an address, but that seems not to
be the case. Perhaps the difficulty is that y'all continue to use
the words "name" and "address" when what you have in mind is something
else entirely. This is reminiscent of the distinction between the
computer's store and the human memory. No one ever has been able to
change the name of RAM even tho memory is clearly not the issue at hand.
Since it seems to have been lost, I repeat my point from the last missive
"the DN is not me, and I will surely need multiple DN's". Eva's
comment that "the DN is <me> since it is everything that is known about
<me> which <I> wish to disclose to others" is clearly not true if I
have different certificates from different CA's disclosing different
amounts of information about me to different interchange partners.
It seems that the certificate serves as a binding between the DN and
the public part of the key, but that some physical verification
THAT IS OUTSIDE THE ELECTRONIC REALM and is, as yet, unknown, serves
as the binding between the person and the DN. Is there any difference
between that and the binding between me and my address that makes me
a citizen of AZ (as opposed to OH)? For those of you with children in
public universities, the binding between you and your state of residence
becomes a matter of some financial interest. If the DN binds me to some
place, city, state, employer, or whatever; I find it hard to distinguish
it from an address.
The suggestion that the employer "might even want to retain access to
the private component of the key pair it provides, to ensure access to
encrypted messages addressed to you in your capacity as an employee",
misses the point about signatures. If an employer does retain access
to the private component of the key pair, then it will be able to sign
a legally binding document that could subject the employee to criminal
action if drugs or environmental or tax issues were involved. It would
be even possible to fabricate this evidence after the employee left
the company. What then is the point of individual private keys if they
are not private? Again I ask, who owns my digital signature, even the
one used in an official capacity in a company?
Peace
TCJones(_at_)dockmaster(_dot_)ncsc(_dot_)mil