-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate:
MIIB4DCCAXUCBQJBAAI3MA0GCSqGSIb3DQEBAgUAMGMxCzAJBgNVBAYTAlVTMSAw
HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEyMDAGA1UECxMpVW5hZmZp
bGlhdGVkIFVzZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTQwNTE2MDAw
MDAwWhcNOTYwNTE2MjM1OTU5WjB6MQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMjIw
NzAxETAPBgNVBAgTCFZpcmdpbmlhMRAwDgYDVQQHEwdIZXJuZG9uMR4wHAYDVQQJ
FBUyMDEgRWxkZW4gU3RyZWV0IKYxNzMxFjAUBgNVBAMTDUFtYW5kYSBXYWxrZXIw
XDANBgkqhkiG9w0BAQEFAANLADBIAkEAsYTQHrGTWxpS22owJLNVkmBNxGW6Z8TK
5Qdsg9co9J8uyHOuqEIHIxOIDsVA7X/bsYVXxvitmc5PYKp2RuWj+QIDAQABMA0G
CSqGSIb3DQEBAgUAA1YAIR3BS02rsquq3dY6sGWcieXW3HtChMtsReRhDdY/nGPz
rIUYuWt087c4T4afrsG9FbouJOkAsR/5SkLI9UpXonDIUskdl4/JlRKpyLaX07RK
mUyTSR==
Issuer-Certificate:
MIIB/jCCAWsCBQIFAAABMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw
HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy
Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05MzA1MDEwMDAwMDBaFw05
ODA0MzAyMzU5NTlaMGMxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT
ZWN1cml0eSwgSW5jLjEyMDAGA1UECxMpVW5hZmZpbGlhdGVkIFVzZXIgQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkwcDANBgkqhkiG9w0BAQEFAANfADBcAlUxe5CmA5dy
igi8ZWJpGJdctHi5wvnIVcG9aupi7+ym5hDyFtVLEeJy5U31xIHz/RSoRJvy0RiY
LtSUOZWWlHol6aEzss1lEknAZNX1aluc+ia7NuvxAgMBAAEwDQYJKoZIhvcNAQEC
BQADfgBe/pia8Oo46rbZlEZE5S0JDsrqWRS5v2ia0D55lJHQqr5vLY0pJy4sSbcp
0r7ZihMMEEO4o8Mu5ZjM8F1ZfEXPy0mWaHPoVxvb13sXgo17Q9m2U58hvjI72U0m
nyB7fXhsjlnFSm8PN0zaTx6RRv8dxvyC42V2mPz6xciQcw==
MIC-Info: RSA-MD5,RSA,
PvLhobGYnUcOW99e0lnG+Y+Z+fURujj3oxd7b77hcuYSRAh0r0u5JJGzmTL32JCF
chog0HJhpHXqf5LDNM2htQ==
Indeed. This is generally what RSA's Persona CA puts into
its certificates.
Good. We have some agreement.
Well, at least on being able to construct DNs that contain email names
or other attributes that do not show up in the Blue Book's discussion
of X.509 :). DNs are just collections of arbitrary attributes.
Just as a matter of curiosity, why do you think that a bare key is
more useful for encryption than for signature? I have tended to think
that there was a very strong duality between the two concepts, and
almost always what was required for one was required for the other.
I should think that the need to be reasonably sure exactly who it was
that you were confiding your deep dark secrets to would be very similar
to the need to verify your correspondent's bone fides before believe
him. Why then would a bare key be more useful for encryption?
There are cases where I explicitly want anonymous but secure
communication.
There are cases where I have obtained someone's public key through some
other channel, and don't want arbitrary observers to be able to garner
any additional information about what entity that key is associated
with.
Basically, certification does not necessarily happen in-band, and in
such cases all you need or want is the key.
Just as you are champing at the bit to release a PEM/MIME
implementation, I'm working hard to develop a system for issuing
and managing certificates within an organization.
OK... how do non-certificate-based applications impact this effort? I
would think that such a system would be simply unconcerned with
alternative applications. It might not even support them; it's a
separate animal.
The more I work with
X.500 the more I am convinced that this is a highly desirable way
to accomplish this.
Agreed. No one's arguing (that I have noticed) that X.509 isn't a good
way to represent certificates. It's even an international standard.
The issue is that certificates themselves are not always necessary or
desirable.
In addition, we need to manage, archive, revoke,
etc. these certificates within an organization. None of this has
anything at all to do with MIME, and little to do with the integration
of PEM and MIME, or MIME and e-mail, or even PEM, MIME, and an X
.500 directory user agent.
Agreed :).
The fact that AOCE and
PEM began to diverge and haven't yet begun the process of converging
is bad enough
Um, they haven't, to my knowledge. I can send PEM mail with my AOCE
signer file. This message is an existence proof :). You can do the
same thing with Lotus Notes, etc. It may take a third-party piece of
software, but the keys, certificates, and signatures all use the same
representations. MIME/PEM does not change this.
Even though we might be competitors in
a certain sense, I would like to see that effort succeed.
Oh, I do too. I like certificates in many contexts. I'm just not fond
of mandating them, or waiting for that effort to succeed before we move
forward on MIME/PEM. That's all.
Amanda Walker
InterCon Systems Corporation
-----END PRIVACY-ENHANCED MESSAGE-----