I don't mean to go overboard on this point, but I was concerned about some
smaller companies that might not even have permanent Internet access, but
only run their own local LAN. such companies might not be set up to provide
of routine around the clock network access that we take for granted.
This doesn't seem like a big problem.
When an "off line" network dials up and down loads mail, the MTA can
verify any PEM signatures it finds (or expects to find) and either:
(a) attach a certificate chain to each message, or (b) cause the
certificates to be cached in a local directory server where they can be
fetched when users read their mail.
When an "off line" UA sends a message which needs to encrypted, it can
communicate this fact to the local MTA by either a special header or by
some out of band method. Later, when the MTA connects to the Internet
to transfer mail, it can lookup the recipients public key and encrypt
the message before it leaves the local LAN.
Granted, this model only works for sites "one hop" from "the network"
but that's not a significant drawback unless you work at AT&T :-).
Now, however, we are more or less forced to use it to identify the user
"himself" (plus or minus a number of roles and other attributes) for both
key management and digital signature controls, AND try to figure out a
way of deriving the user's Internet e-mail address(es) from a structure that
was oriented more towards X.400, AND we have imposed name subordination
in order to try to cope with some of these problems, AND now we can't figure
out how to contact the user's CA and/or his PCA, especially in cases of
unaffiliated or residential persons. All this in the absence of an
as-yet-to-be-
proven-to-be-viable distributed directory service. What a mess!
I think your blowing this way out of proportion. The Internet X.500
DIT is growing all the time. It already contains straight forward
mappings for domain names, and has the ability to insert aliases if
(for example) I want to put my users in the DIT as:
@c=us(_at_)o=U S WEST(_at_)ou=Technologies@cn=Jane Doe
I can make an entry
@o=Internet(_at_)domainComponent=com@domainComponent=uswest
which contains an alias that points to
@c=us(_at_)o=U S WEST
brad
Vint Cerf suggested that we think about using something like the Domain Name
Server. Maybe the PCAs should operate something like that, that would at least
tell a user the email address of the CA's CRL server.
Why bother? We need allot more out of a directory service than just
certificates and the one thing X.500 gives us is flexibility. It may
be overweight, but it is fairly complete. Hell, it even includes
attributes for "favorite drink".
There is even an X.500 light protocol called something like "dixey"
which can (and is) used by applications which need directory access but
cant afford to use a full osi stack. There are already several
applications which use this; including a version of sendmail which can
make x.500 name lookups as part of it's address parsing!
brad