John,
We seem to be going around in circles, and that isn't very
constructive.
Let me say that I have nohting at all against the X.9.30
type of attribute certificates, and if you would like to propose
adding something like that to the list of capabilities that PEM
should support, I will be happy to try to make sure that it
receives my full attention and support.
Perhaps I was incorrect in reading the mood of the PEM
community in not being willing to consider any changes at
all, but I haven't seen much sentiment expressed for
anything other than the simplest of e-mail features. If I
am wrong, then that opens up a whole host of additional
possibilities. I was making more of a political judgment
than a technical one.
I said that I had only recently received a copy of the
X9.30 proposed standard, and had not yet had an
opportunity to read it. I apologized in advance for not knowing
everything about everything, and I hope that you will be able
to fill us in on some of these details. In fact, I think it would
be very useful to have rapporteurs from some of these
other standards groups participating in the PEM development
efforts and discussing common problems on this list.
My concern was not whether X9.30 supported the exclusion
of some attribute or feature, but whether and how a PEM user
would even know that he was supposed to go look for
an X9.30 certificate, unless only the X9.30 certificate were
used to sign the messae and not the X.509 certificate.
Perhaps I was incorrect in my understanding of the ASN.1
syntax for SEQUENCE. My intent was to provide a field
that could include the existing UID fields as optional
attributes within the SEQUENCE. But if that would be too
confusing, I would be happy to keep the existing UID
fields and simply add the subjectAttributes and
issuerAttributes. Charlie Kaufman has suggested
characterizing the semantics of additional attributes into
two classes, the first of which would be optional for
many applications (e.g., e-mail address), and the other
would be mandatory (exclusions such as Disclaimers).
Once again, I am not proposing any kind of a distribution
system at all. I merely referred to the existing system that
is defined within the PEM RFCs, which I believe will
work relatively well within the intended application. It may
or may not be suitable for very large scale EDI or EFT
applications. But at the present rate of deployment of PEM,
worrying about problems of scalability would be a delightful
problem to have to solve, but please don't saddle me with
trying to defend either the presence or the absence
of any particular certificate distribution system, whether
based on X.500 or some other system.
I certainly believe that a CA would be willing and able to
endorse a significant number of interesting attributes,
including e-mail address, role names, titles, disclaimers
of liability, names of PCAs, whether a user is allowed
to create or sign additional CA certificates, etc. That certainly
does not preclude the possibility of having an X9.30
certificate that would support more fine-grained control
over such attributes, including turning them on and off
individually by organizations other than the user's identity CA,
etc., assuming that you can muster the political support
for such a certificate and get it included within the
development plans of a substantial number of PEM developers.
If you can, then I will certainly salute you for a singular
accomplishment.
When you say that I have proposed a syntax and haven't
supplied a detailed context or semantic, I begin to
wonder whether we are subscribed to the same pem-dev
list. Perhpas you should request a copy of the archives
to be sure that you are receiving all of your mail. Certainly
the message that I sent immediately prior to the one containing
the proposed syntax (which somehow arrived back at my
system out of order) was intended to provide exactly that
context, in addition to the ongoing discussions.
If you wish a list of the impediments (I won't call them
defects, because they are limitations imposed by the RFCs),
I would suggest that you go back and read the last month's
worth of mail from people like Steve Crocker, Anish
Bahrani, Rhys Whetherby, and others who are complaining
that PEM is hard to deploy.
Bob