Rhys,
As you correctly observed, PEM does not allow self-signed
certificates. I don't think we are trying to compete with PGP in the
"market" where "certificate-less" messaging is considered a feature.
The initial RIPEM software is essentially a version of PEM that did
not use certificates, but its author noted his plans to move to
certificates in subsequent versions. PEM's message format may not be
so superior to PGP as to make me think it is worth promoting in the
absence of the certificate management system. PEM provides a wide
range of levels of identity assurance, through the use of various
PCAs, in an effort to meet the requirements of a broad audience.
A precept of PEM is to operate in a fashion that prevents a
recipient from ever being spoofed by a claimed identity associated
with an incoming (PEM) message. The intent is to make it easy for a
user to evaluate the credibility of the claimed identity, by examining
only the PCA DN, and to identity the user, by examining the user's DN.
Both of these values (the PCA name and the user name) can be mapped to
local aliases to facilitate display and to provide the user with
shorter, personally significant names, but the precent still holds.
Steve