Jim Galvin writes, excerpting:
>Excuse me?! Have you forgotten about the PCAs required in RFC
>1422, which by the way is required in a compliant 1421
>implementation? Every implementation is required to track the
>existence of every PCA and to be able to report to a user the
>implications of a public key found to be issued under that PCA.
Wrong. 1421 does not require use of 1422, though it recommends it
in the interests of a common basis for interworking. It is wholly
possible to build a 1421-compliant implementation which has nothing
at all to do with 1422; several PEM implementations have been
constructed, e.g., based purely on symmetric-key cryptography.
Well, John, you got me. As far as symmetric key cryptography is
concerned, I agree with you. However, actual language in the
specification notwithstanding, it is a recognized intent that where
asymmetric cryptography is concerned, a compliant implementation of PEM
must be compliant with the suite of 4 RFCs: 1421, 1422, 1423, and 1424.
To date I, at least, have said this several times on this list, although
the phrase I've been using is: the PEM/MIME specification divorces what
1421 and 1422 marry.
Jim