At present, however, the lack of correspondence in
general between the name of a CA and its e-mail
address is a potential show-stopper. If we had a real
X.500 directory this wouldn't be a problem -- we could
look up the address.
If we had a real X.500 directory we could look up the CRL
there. We hadn't a problem at all.
This is the crux: a global CRL distribution service without
X.500 support has intrinsicly a similar problem complexity
as a global X.500 service itself (except that we only need
to distribute a single data type (or attribute in X.500
terms)). If we had X.500, this complexity had been solved
there. If we don't have X.500 (which PEM realisticly assumes),
we have to solve this complexity in the CRL distribution
service. Whether we distribute CRLs via a smaller number of
PCAs or a greater number of CAs doesn't reduce this
complexity.
Wolfgang Schneider