Steve,
I don't believe that PEM will scale well without some kind of
Directory system. There are other mail systems which use X.509
certificates (X.400 and MSP) which need to search a directory to
obtain a valid certificatePath. It is not clear to me how a
DSA will authenticate a DUA without being able to construct
a valid certificatePath. More applications are coming.
I argue that PEM needs all the help it can get. If an external system
changes such that it restricts PEM's future growth potential, then I am
going to comment. If someone changed the DNS such that it would be
impossible for PEM to use it then I hope you would find it lamentable.
Your design looks a lot like RIPEM. I think that most of the functions
you want are already present there: there is a key server, support for
finger key distribution, etc. Its use in the internet is even growing.
But it is not PEM.
Many of the difficulties in PEM implementations come from poor user
interfaces. Many difficulties come from incomplete implementations too.
Most of us are spoiled by the mature UIs which we see in modern
systems. (All of us except DOS/Windows users !) I have seen
the Mac UIs for RIPEM and TechMail and they are quite tolerable. They
could still use some help from people who know UI design and data
presentation. (Any volunteers out there ?)
When you think about it, the data presentation problems of most
mail-enabled word processors/spread sheets/etc. far exceed the
problems PEM has. Perhaps there is a lack of inspiration ?
Have the PEM developers been focussing on the "hard" problem of all that
"cryptography" rather than that "trivial" problem of a user interface ?
John