But I have a lot of difficultly with your inventing new
mechanisms to solve problems that the old mechanisms were
perfectly capable of solving, if it means that many groups will
have to modify or abondon the infrastructure support tools that
are having to be created.
Bottom line. The old mechanism blew it. We can sit and pontificate for
hours and get no where discussing this issue.
Previous versions of TIS/PEM allowed users to create arbitrary
distinguished names (contrary to the specs) and allowed users to create
arbitrary hierarchies (also contrary to the specs). It all still lost.
The market was not interested. Period.
However, PGP seems to have acquired a community of users. You've got to
take a step back and ask yourself why. We did and thus motivated the
MIME/PEM work.
If you think real hard you'll see that we did two things in the MIME/PEM
spec. First, we closed a few doors real tight, choosing to take
advantage of features of MIME and remove the same functionality from PEM
(I'm including the philosophical change of separating
encryption/signature here). Second, we opened two doors just a little:
- we allowed 1 alternate name form (an email address) and one
mechanism for extension (arbitrary string); a side effect of this
is needing to introduce the concept of key selectors, which are
implicit with certificates (this is not deep stuff)
- we allowed for the use public keys directly instead of
certificates
That's it folks. The rest in the details.
However, I am
opposed to the introduction of new key identifiers within the
standards track, and frankly with the rejection of the
certificate approach that your approach tends to imply. I think
that it will end up setting back the whole effort significantly
if that view is adopted.
I'm respectful of your position Bob. We don't have to agree. I would
like to point out though that we are not abandoning certificates. On
the contrary, we 100% support them, both in the specifications and in
our implementation. We'd prefer people use them but recognize that the
current community of users of encrypted electronic mail don't. There
must be a reason.
I would therefore prefer that we begin the process of updating
both the existing PEM spec and the PEM/MIME spec to take
advantgae of the v3 certificate format, which would make what
you are trying to do even easier and add a lot of other
capabilities as well. But what you are trying to do can also be
done with the version 1 format, so I would vote NO on any effort
to standardize on the key selector approach as it presently
exists.
I still fail to see the problem with the key selector. The serial
number of a certificate is a key selector. All we've done is generalize
the concept since we don't necessarily have certificates.
Jim