Bob:
The problem with certificate serial numbers is that the same key is often
certified several times (by the same or different CAs) so it is sometimes
useful
to recognize keys by key identifiers rather than certificate serial numbers.
For this reason, we are currently introducing key identifiers into X.509
certificates. I see MIME/PEM key selectors as fulfilling basically the same
role.
In looking more into the potential deficiencies of MIME/PEM in the
infrastructure environment, the main one seems to be the inability to carry an
originator's certificate in the message header (which 1421 supported). While
this is not essential (as the recipient can always do a Directory retrieval) it
could represent a substantial performance issue. Most other application
protocols which support digital signatures include provision for carrying (at
least) one certificate along with the signature, so this looks like a MIME/PEM
deficiency.
Can the certificate be carried elsewhere in the message? Perhaps the MIME/PEM
authors can clarify.
Warwick