Bob,
I have to give you credit for one of the more intelligent
proposals I have seen. If we end up an an absolute impasse,
this might be worth considering.
However, I'd like to point out that this can be accomplished
today, _without_ any layering or changes to PEM:
1. Continuity, integrity and confidentiality.
(I would have prefered to say continuity, tamperproofing, and anonymity.
In a variety of discussions on the subject of integrity, I've always
taken the position that data doesn't have integrity by itself, but only
through its provenance. In otherwords, if you don't know who created
the item, you don't know what level of integrity to assign to it.
But provable absense of modification is still valuable.)
(Likewise, confidentiality without any degree of assurance as to who
you are talking to is an oxymoron at best. You are really providing for a
private reply to an anonymous correspondent.)
These capabilities can all be provided by usiong a Persona certificate.
You can even make up a Persona DN using Carl's favorite idea of using
the public key itself (or a hash of it), thereby disclosing nothing at all
about the individual, not even his taste in monikers or pseudonyms.
This approach also simplifies the confimation of continuity, since you
don't have to keep comparing a lengthy public key from message to
message.
2. E-mail forgery protection.
I am not nearly as hung up on identifying the sender of e-mail based on
his From address as you Australians seem to be. Maybe I see too many
messages where the From address has been altered by a list exploder to
think that it is going to provide any significant benefit, and I would prefer to
at least know the person's name and perhaps some organizational affiliation.
And as Tom Jones, AKA "Peace" illustrates, an account on DOCKMASTER
really doesn't convey very much information about the context in which
you are responding. (Some people would say that it says a lot! So substitute
CompuServe in that example.)
I don't see very much difference between this and the Persona case, but
if you want to disclose only a little bit of information, you could either
include
the e-mail name as the commonName of a Persona certificate (probably not a
very good idea architecturally, as I have argued before), or use an explicit
e-mail attribute (better), and have your DN be certified under a low
assurance PCA hierarchy that is based on e-mail names for identity.
The only thing that might be new here is the use of an explicit e-mail attribute
to facilitate hooking up a fairly dumb mailer with an equally dumb PEM UA.
3. Sender Identification.
A full civil name sender identification in an X.509 certificate would seem
to be the minimum required if we are to support any kind of nonrepudiation.
Other CAs can then create authorization certificates, and users could
sign their own MPEG pictures. (Not still-frame JPEG, however, because that
would allow me to sign Bill Clinton or Rush Limbaugh's picture and no one
be the wiser. The user has to actually say that he is who he is, and that his
certificate was serial N, issued by X. Oh, yeah, I suppose he could hold up
a sign to that effect in a picture.)
I agree that a user may very well have a multiplicity of certificates, even
for a basic identity. I might have a Persona certificate, an e-mail certificate,
a residential person certificate, and organizational certificate, and one
issued by the CIA if I were a spook.
But I would argue that layering in the usual sense is unnecessary -- all we
need is a choice of certificates that provides an increasing level of confidence
in who we are dealing with, at the expense of some decrease in privacy.
But that is an almost universal tradeoff, and the way we conduct almost all
of our dealings throughout life.
Bob