Jeff,
I would just like to agree with you on a point and agree to disagree
with you on another.
Bob> If I don't already have the certificate in hand from the
> originator and only have the key digest, I haven't any idea
> where to look until a worldwide directory of keys indexed by
> such digests comes into existance.
>
Jim> I couldn't agree more. This is an excellent reason for not
>using just a digest of a public key.
The same objections made to a key digest apply equally to the
arbitrary index blob which is the basis for your claim that all the
name forms can be implemented easily.
I will agree with you that of the 3 name forms, the arbitrary string
does not provide a means by which a recipient missing an originator's
public key can retrieve it. The principal purpose of the arbitrary
string name form is to provide a mechanism with which a closed community
of users can communicate assuming an a prior agreement between them
about how to interpret this field. I've added some discussion of this
to the next revision of the PEM/MIME document.
However, this is different than whether the choice of name form matters
to a local database implementation.
Bob> > If I wanted to store PEM/MIME certificates in an X.500
> > directory, perhaps using the Bell Northern Entrust
> > program, do I have to do something new?
Jeff> Yes.
>
Jim> No.
Yes, for the reasons stated above.
I think we'll just have to agree to disagree on this point.
Jim