Jeff,
I thought I was agreeing with you.
If the users wish to use X9.30 or some other attribute
certificate, (assuming that they can find someone to
support it within PEM), let them do so.. I was specifically
NOT precluding the "more likely(?)" desire of users to
have more atomic control over any particular attribute.
I was not suggesting that any particular attribute be
mandated, nor that such a use preempt any other use.
I was merely trying to be constructive in responding
to a number of people saying that they were having
a real problem getting started using PEM, and
suggesting that including an e-mail address in
a certificate would be convenient. And I have
been concerned for a long time that X.509 was too
inflexible in insisting that no user-related attributes
can be included other than what is put in the DN,
and especially when we look at what types of DNs
would be considered allowable in an X.500 context.
But if you don't want to make use of this capability,
DON'T USE IT!
Even more to the point, if in fact PEM deployment
for a large number of users is not far off, then perhaps
nothing needs to be done. I certainly agree that
"it could be made better" is the the enemy of "let's use
it and find out whether it's good enough."
Bob