we seem to have some gaps in agreement here.
PEM provides authenticated messages if both the sender and recipient can
show that they both believe in one of the certificates used to sign the
message.
If they don't share atleast one certificate thats trusted then the message
cannot be authenticated.
Hopefully they will share a CA or PCA so should have certs that can be used
to validate the message signature.
Without this basic framework we don't have anything...
----------------------------------------------------------------------------
Use of PEM,
Assuming we have authentication, then other things are possible, such as
privacy.
The meaning attached to the event of an entity signing a PEM message seems
to be a major discussion point. This also seems to be tied up with PCA
politics. Personally I would have thought that there would be a PCA say that
would act for say the US educational establishments, anthother for UK ones..
where problems arise seem to be with the 'comercialisation' of PCA's where
they may be many PCA's touting for the same customers or in the gov't/non
gov't PCA's.
Pete.