I question the utility of transmitting an unverified public key
along with a name in a signature.
Based on the grammar in the MIME-PEM spec, I assume the contents of
application/pemkey-data for PK would be as follows:
Version:5
Key:PK, MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4fqQ61aoC1fO6B=
ekJmG4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8KRGJ9wh1HU4TrghGdhn0Lw8g=
G67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,2,galvin(_at_)tis(_dot_)com
This association would then be verified by the recipient and kept for
subsequent use. I agree this is reasonable procedure. I don?t propose
any changes to this.
Application/pem-signature with a public key identifier contains the
following:
Version: 5
Originator-ID:
PK,MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4fqQ61aoC1fO6B=
ekJmG4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8KRGJ9wh1HU4TrghGdhn0Lw8g=
G67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,2,galvin(_at_)tis(_dot_)com
The MIME-PEM document cautions against use of an unverified public key
received in this manner.
Given that, my proposal is to not allow the public key to be transferred in
this way as part of the pem-signature data.
Hmm. Well, this is now gotten far outside my area of expertise. I'm going to
have to ask Jim and Sandy to comment on this proposal.
My personal opinion is that this loses big in terms of functionality loss, and
that the problem you're trying to solve isn't being solved by this change, but
Jim and Sandy are the experts in this area.
Ned