Alireza,
The point you raise is a good one, and there are several
possible solutions. As already noted, if one has X.500 DSAs
available, then the SMTP mailbox name is likely to be an attribute in
each user's directory entry (though not a distinguished attribute) and
so one could search by mailbox name to locate a certificate for a user
(for whom you already know the mailbox name).
In the existing DNS environment, one could provide the same
sort of facility with minor extensions. Today the DNS does not deal
in user-level (vs. host-level) records. However one could create a
new DNS record type for individual users, maillists, etc. indexed by
(DNS) mailbox name. The record could contain the certificate for the
user, or it could contain a full certification path for the user (more
bytes per-record but fewer fetches?) As Steve Dusse points out, it is
important to examine the returned certificate and to make the decision
on user identification based on the DN in the certificate, rather that
on the DNS mailbox name. However, after a user has satisfied himself
that the DNS name and the DN in the certificate are appropriately
matched, he can maintain this binding in a personal cache (along with
a local alias so that he doesn't have to type either the full DNS name
or the DN).
Steve