The X.500 directory could be one such mechanism. However,
one difficulty that I see integrating PEM and X.500 is that the X.500
directory hierarchy is based on distinguished names while the e-mail
address has a different hierarchy (e.g. Internet Address)
Good idea. Actually the mapping between RFC822 name and distinguished
name has already been solved in the Thorn / RARE X.500 naming architecture
proposed by S. Kille at UCL which includes the attribute "RFC822 mailbox".
You can either read an entry via the distinguished name to get the RFC822
mailbox name, or search via the RFC822 mailbox name to get the distinguished
name. By adding a "Certificate" attribute to the naming architecture both
type of queries will also return that certificate.
Since UCL is also active in the development of secure e-mail I guess that
their DSA is already supporting certificates.
Note, however, that the mapping between RFC822 name and distinguished name
is not reliable, either because the DSA is not trustworthy or because the
returned data was tampered with. In the current PEM version this should not
be a problem since it is based on the Distinguished name only. You may also
activate the OPTIONALLY SIGNED mechanism on the DSA to prevent tampering
with the returned data.
Markus Mueller
FIDES Informatik
Abteilung IB2
Badenerstrasse 172
CH-8004 Zuerich
Switzerland
SWITCH/ARPA/BITNET : mueller(_at_)komsys(_dot_)tik(_dot_)ethz(_dot_)ch
UUCP :
mueller%komsys(_dot_)tik(_dot_)ethz(_dot_)ch(_at_)chx400(_dot_)uucp
X.400 : S=mueller;OU=tik;O=ethz;P=switch;A=arcom;C=ch
Mail account courtesy of Institut fuer Technische Informatik und
Kommunikationsnetze, ETH, CH-8092 Zuerich, Switzerland