Amanda wrote:
My own point of view is that this is the wrong question. I think the
question is actually "should operation without certificates be allowed
to be called PEM?" Personally, I don't care. I'd be happy to have an
"application/pem-keys" which has a PEM certificate, an "application/pgp-keys"
which has a PGP key (perhaps signed), an "application/rsa-keys" which has
bare keys, and so on--whatever people actually want to use
I agree with you. But I would go a little further: why not have the
"application/pem" and "application/pgp" and "application/XXX" using the
same pair of keys, with the public key represented in a X.509
Certificate (*not* a PEM certificate). This is should be possible,
without great effort, with X.509v3 Certificates. Actually, I'm working
on a project to divulge PGP public keys in X.500. But, due to the fact
that i'm using X.509v1, i had to define new OIDs and a new class object
to represent extra-PGP-public-key-information. When the new X.509v3
becames available, i hope to upgrade my application, and i know that it
will take much less time and work.
My opinion is that we should try to "sell" the philosophy that lies
behind the X.509, not an application that shows that philosophy.
vitor