I sent my previous note prior to receiving this. At this point my
primary concern is the impact the proposed standards will have on
the evolving national/international public key infrastructure. I
would prefer to go back to the standard X.509 certificate structure,
using used-signed (self-CA) certificates as necessary until the full
blown CA infrastructure can be deployed.
There are valid and useful applications which operate outside of a "CA
infastructure." Self-signed certificated are not an interim step, they are an
alternative certification model. An X.509 is just a signed block of data
which has a publick key and some attributes which the signer wishes to
associate with that key. That's it--any other interpretation is policy.
X.509 certificates are just a representation for signing the combination of a
public key and some attributes.
There will be multiple CA infastructures, and cases which operate outside any
CA infastructure. One of the major failings of Classic PEM (and the cause of
a lot of the perennial discussion about what signatures "mean") is that it
included a particular policy and certification model. MIME/PEM, unlike
Classic PEM, does not. MIME/PEM does not depend on any national or
international infastructure--it can just take advantage of one if such exists
and is appropriate for a given context.
I think you're mixing policy and mechanism again. MIME/PEM purposefully
decouples key infastructure and policy from representation.
Amanda Walker
InterCon Systems Corporation
PGP Key fingerprint: 594F63C03B52DC4E37E9160DE733CD87
PEM MD5OfPublicKey: 8E4A21B7025943DE2EDC7CC038B3D6B1