Francisco,
Your paper sounds interesting. As you have probably seen, I have bee
focused on how to make PEM more usable. One aspect of usability, in
my opinion, is finding a way to make use of the existing
infrastructure of email addresses. For example, if I had wanted to
send you an encrypted message, I'd need a way to make use of your
email address <jordan(_at_)ac(_dot_)upc(_dot_)es> to obtain your public key. An
extended distinguished name which encodes the information you put at
the bottom of your message:
Francisco Jordan
Group of Distributed Systems
UPC - Universitat Politecnica de Catalunya
Barcelona - Spain
is interesting but I can't do anything with it because there aren't
any ubiquitous X.500 directory mechanisms, nor is there any mechanism
within most mail systems for dealing with X.500 entries.
Does your proposal provide a means for introducing and using email
addresses widely and easily?
I was also intrigued by your mention of a "pull" model for certificate
validation. I think this is a good step forward. Can you supply
details?
Finally, I agree it's necessary to open up the validation process to
accommodate more than one hierarchy and indeed even to permit
individuals or small groups to get started without attaching
themselves to any existing hierarchy. Does your proposal accommodate
individuals and small groups as well as national hierarchies?
Thanks,
Steve