You can! For example send a mail to me using my e-mail address
(ali(_at_)ctt(_dot_)bellcore(_dot_)com) with the following subject line:
DISTINGUISHED-NAME-REQUEST
You will get my DN.
Do you seriously think this solution is usable in a production
environment?
It roughly triples the delivery time for email since I have to send a
message to you, then get your DN back, then send you the real message.
Am I correct in assuming that once I have your DN I still have to look
it up in the directory to get your certificate? I suppose if your
going to send me a mail message with your DN in it, you might as well
send me the certificates as well...
For sites that connect once a day with dialup this scheme could be
slower than surface mail!
For that matter, how do I even know that the reply is from you? I have
to trust that your DN which may be something really obscure like
c=us(_at_)o=compuserv@cn=37234806 or something normal looking like
c=us(_at_)st=colorado@l=boulder(_at_)cn=Ali Bahreman is really associated with
your email address <ali(_at_)ctt(_dot_)bellcore(_dot_)com>? Heck, you may have
never
even been to Boulder Colorado and here some bad guy in the middle has
spoofed your DN.
Granted if I _started_ by looking for you in an X.500 directory it
would have been easier, but if I have only your address (which is
common practice today), I've no way of knowing with _any_ certainty
that the DN I get back from such an untrusted request is really yours.
brad