Tom,
In order to validate a signed message, the recipient must have
the public key of the originator. In PEM, such keys are made
available in the context of certificates. If the originator's
certificate is not present in the PEM message header, (because the
Originator-ID-Asymmetric field has been employed, then the recipient
is assumed to have access to the originator's certificate through some
other means, e.g., caching. To support non-repudiation, the recipient
would present this certificate with the signed message to a third
party.
It really makes no difference whether the (originator)
certificate was included in the header or supplied exetrnally.
Without the certificate the recipient cannot validate the signature.
(To be precise, the recipient needs a full certification path from the
IPRA to the originator, but I've omitted that detail because you
didn't include it in your message. Also, the signature facility is
not all that is required for non-repudiation, but that discussion has
been carried out on this list previously and need not be repeated.)
Certainly you are correct in NOT relying information in the
From field (not the "To" field), and it is not PEM's intent to sugget
that. However, you seem to suggest that unless a PEM message contains
all of the data required to provide non-repudiation that the service
is not provided by PEM. PEM involves a larger context than just the
message format, e.g., the certification system (including CRLs), and
all of that must be taken into account when considering non-repudiation.
Steve