I am, to be truthful, not too concerned with the key selector issue one way
or another. All of the databases in our products are free-form anyway, so
whatever ends up in the spec regarding key management is likely to be a
small speed bump for us at best, if at all. That being said, I wouldn't
mind dropping the key selector as an explicit identifier and using either
of the alternative ideas that have been mentioned: self-signed certificates
or bare public keys in the Originator-ID field.
I should point out that using the bare public key in the Originator-ID
field does not keep someone from sending a self-signed certificate if
they want to. The only certificate-holding field in MIME/PEM is in
application/pemkey-data, where I'm suggesting we put all the
certification stuff. The public key in the Originator-ID can be used
as a pointer to the self-signed certificate. That's the beauty of
just using the public key as the identifier: it is common to all the
public key certification schemes, by definition.
- Jeff