I said:
When Originator-ID-Asymmetric is used, it points to a specific
certificate and presumes that the recipient already has or is able to
obtain that certificate.
TCJones said:
Not true - the Originator-ID-Asymmetric points to a I-A (actually a CA).
A CA's DN and serial number uniquely identifies a certificate.
knowing only the Issuing Agent and a version number for a
certificate which I don't have.
I think this is where your confusion lies. Originator-ID-Asymmetric
includes the issuer DN and a serial number...
I think PEM had better create a
message for the CA, "Please_Send_a_DN_for_the_Enclosed_DNS" if you want
any of this to do anything at all.
This is one of the great hopes of X.500, no? In either case, such a
request may or may not be appropriate depending on the PCA's policy.
I do feel however that where the policy permits, an automated retrieval
service should exist in the absence of X.500.
I think that once we tie Originator-ID-Asymmetric to a certificate, your
remaining points have been addressed.
-Ray