Ted,
We need to do something to make PEM easy to use,
or people won't use it.
Amen.
It also has to provide some added value, even if the nuisance
factor goes to zero.
For that reason, although e-mail names instead of DNs don't
satisfy my objective of being able to use the PEM certificate
infrastructure for other buisness-related purposes, I wouldn't have
any problem with someone who wanted to set up a PCA that used
e-mail addresses instead of geopolitical/organization (physical universe)
labels in thier DN.
Such a PCA domain would fall somewhere in between the totally
anonymous PERSONA domain and say the RSA Commercial Hierarchy.
Since it wouldn't pass my "Where do I send the sheriff" test I might not
extend a whole lot of faith and credit to such a user, but that wouldn't
prevent it from having some real utility in the current Internet environment.
I know that it sounds like I just disagreed with my previous message saying
that replacing DNs with e-mail addresses, but there are two different
contexts.
I couldn't accept the REPLACEMENT of the current DN structure
with a simple e-mail name-based certificate, because it wouldn't satisfy
my other objectives.
But those objectives may very well be too cumbersome to apply to
all uses, so diversity would probably be a good thing.
I still think that creating an X.509 V3 certificate that would contain
attributes outside of the DN (including e-mail addresses) would be
the overall best solution, but a mid-level assurance PCA domain
might provide an almost immediate work-around solution.
Bob