Bob,
Thanks for your comments on DN vs. mailbox addresses. As you
observed, the intent of a DN is to identify a PEM user in a
descriptive as well as unique fashion. It is not to be used in
routing email. The independence between the two names, for a mailbox
vs. a PEM user, is a feature in many instances, not a liability.
Christian and I are writing (he has really done all the work
so far) a brief memo resurrecting an idea I borached several years ago
when the PEM work began. To facilitate retrieval of user certificates
one could send a formatted message to a well-known mailbox on the host
which provides the user's mailbox interface. A simple responder would
provide certificates (maybe full certification paths) for all of the
users whose mailbox names were included in the request message. Since
we live in a world where many of us are already familiar with mailbox
names for users, or we can employ existing directory services like
whois to locate these mailbox names, it makes sense to exploit this
aspect of the existing infrastructure to aid in the certificate
retrieval process. In the future, with more widespread availability
X.500 or enhancements to other directory services, this should be less
of a problem. Note that mailbox names still are not a substitute for
DNs, e.g., are less descriptive and are married to a given email
transport technology. But so long as they provide a convenient means
of inquiring about certificates we should make use of them for that
purpose.
Steve