Tom,
The intolerance to "new iedas" which you cite is really more
of a reaction about the timeliness of your comments. The PEM RFCs
have been issued. They are not internet drafts, but rather Proposed
Standards. Numerous arguments about naming, certification,
certification topology, etc. took place on this list over a period of
several years and the RFCs reflect the informed concensus of the
pariticpants in those discussions. While reading material back 1 year
is certainly the right approch to coming up to speed, it may not
suffice for some of these discussions. Perhaps you are right, that we
need a forum for newcommers to learn about PEM. However, your message
has a tone not of learning but of objecting to established
terminology, in the course of raising questions which have been
discussed prior to your archival search.
I interpreted your comments about whether DN are "names" or
"email addresses" used for routing as a technical, not philosophical,
issue, given the terminology you employed. The terms used in
conjunction with DNs are well documented in the international
standards literature and are used appropriately in the PEM RFCs. I'm
not sure that a philosophical discussion of "what's a name" is really
appropriate at this point. As Marshall Rose noted, if you want to
talk about DNs in general, rather than in any PEM-centric way, there
are appropriate fora which he identified.
The issue of how one establishes the real world binding
between an entity and its DN is left to the policy of the PCA under
which certification takes place. RFC 1422 describes this as part of
the PCA policy statement. It is not a question for which there is no
answer, but rather a question for which there are multiple acceptable
answers, as noted in that RFC.
Getting back to your question of who owns a digital signature
(really who has what rights to the private key used to effect the
signature), I think the examples cited earlier provide a good basis
for answering that question. In a business environment, it is quite
likely that a company will establish conventions for using digital
signatures in a fashion that has any legal/fiduciary implications. It
is unlikely that these conventions will create the opportunity for the
problems you cite with regard to use of personal PEM keys/certificates
by employees. For example, you might be given a smart card or PCMCIA
card with the private key for the purchasing manager role and would
employ that card to sign EDI transactions on behalf of the company.
Should your job change, or you leave the company, the card would be
returned, or the certificate for the purchasing agent role would be
hot listed and another certificate, with a new key, would be issued
and provided to the new purchasing agent.
If you are really intersested in appropriate safeguards and
conventions for electronic commerce, I refer you to the papers written
by Addison Fischer (e.g., see his paper in recent NCSC proceedings)
and the ongoing work of the ANSI X9F1 committee (digital signature
standards for the financial industry).
Finally, if you had trouble identifying which Steve sent the
message, despite the appearance of my DNS mailbox name in the header,
then perhaps this is a good example of why DNs are better names for
people than the mailbox names/addresses used today.
Steve