Based on the grammar in the MIME-PEM spec, I assume the contents
of application/pemkey-data for PK would be as follows:
Version:5
Key:PK, MHkwCgYEVQgBAQICAwADawAwaAJhAMAHQ45ywA357G4fqQ61aoC1fO6B=
ekJmG4475mJkwGIUxvDkwuxe/EFdPkXDGBxzdGrW1iuh5K8kl8KRGJ9wh1HU4Trgh
Gdhn0Lw8g=
G67Dmb5cBhY9DGwq0CDnrpKZV3cQIDAQAB,EN,2,galvin(_at_)tis(_dot_)com
This association would then be verified by the recipient and kept for
subsequent use. I agree this is reasonable procedure.
Phil, it doesn't matter where the association is placed, it is incumbent
upon the recipient to verify the binding. The specification makes no
distinction about verifying the binding based on whether it appears in
the pemkey-data or pem-signature.
In any case, I think it's pretty clear that the consensus of the working
group on your proposal would be "no". Just to be sure, as I understand
your proposal, you're suggesting using nameForms/keySelectors only in
the pem-signature and relegating the binding to the public key to only
appear in the pemkey-data. This is the opposite of all the current
traffic on this mailing list to date.
Jim