Granted if I _started_ by looking for you in an X.500 directory it
would have been easier, but if I have only your address (which is
common practice today), I've no way of knowing with _any_ certainty
that the DN I get back from such an untrusted request is really yours.
Interesting semantics.
What is the "yours" you referred to? It seems that you trust the user's
SMTP email address more than you trust his DN and/or certificate?
Unless you are sending out encrypted junk mail you have presumably
already exchanged at least one message with the person you are
trying to communicate with. The assumption made by PEM in the
absence of a ubiquitous, production-quality X.500 directory, was
that the user agents would routinely incorporate the sender's certificate
in any outgoing messages, and that recipients would more or less
automatically cache those certificates.
Boo! Signed, Alice. [Alice's Certificate] ------------->
<----------Encrypted for Alice(Boo, who; C=US, O=uswest, CN= Alice?
Signed, Bob) [Bob's Certificate]
Encrypted for Bob(Boo, hoo, hoo, C=US, O=GTEL, CN=Bob!
Signed, Alice)------------------>
Bob.
(still waiting for Alice, after all these years. sigh...)