The UCL PEM provides a domaine to DN mapping
based on DSA use (Quipu).
Mapping X.500 Distinguished Names to e-mail addresses can probably
be achieved in a number of ways. Use of the X.500 directory
certainly sounds like an elegant solution. We have also experimented
with simple alias files.
In any case, it is important to authenticate the binding before
utilizing the resulting distinguished name for creating digital
envelopes. This can be done proactively by use of strong
authentication (digital signatures) on the X.500 information or alias
information. It can also be done retroactively (after name lookup but
before key use) by presenting the end-user with a confirmation: "Is
this the distinguished name that you thought you were specifying ?".
Cheers,
Steve Dusse
RSA