The most recent draft of the PEM/MIME spec defines a key selector to
be used in identifiers. Consider the following paragraph from section
2.2:
The KEYSEL field is used to distinguish between the multiple public
keys that may be associated with the name form in the STRING field.
Its value must be distinct from all other KEYSELs assigned by
whomever assigned this KEYSEL. A suggested value is to use a
portion (low-order 16 or 32 bits) or all of the actual public key
used.
Using the actual public key as a key selector (or something derived
only from the public key) does not add extra complication because the
public key is already available and authenticated. But requiring a
compliant application to support arbitrary selectors adds a whole new
level of complication to its certification models and database
imlementations to track and authenticate this key selector.
The mechanism for arbitrary key selectors was added to allow
applications to prevent the public key from being transmitted. To
keep the public key private is not a stated security goal of privacy
enhanced mail. Therefore, the requirement for arbitrary key selectors
should be removed and we should simply use the public key, or
something derived from it, to distinguish among the possible key pairs
associated with a name form.
Steve Dusse
RSA