Roger,
This "works" in the paper-world as people are "flexible". Automated
receivers OTOH are very unlikely to be able handle arbitrary schemes.
Using a business system as a mid-tier eliminates the need to move the
arbitrary-ness of the paper-world into the e-world.
**RY it will also work in the e-world as only specified digital signatures
will be accepted on order forms from specific companies.
If we now try to scale-up the partner network to the size of major
manufacturers with tenth of thousands of suppliers, how exactly
is this going to work? "Only specified digital signatures" sounds
very much as out-of-band, small scale etc. How should an automated
process be able to cope with that?
As as final note, I would like to express a whish that the S/MIME and
PKIX WGs start looking a bit above the ASN.1-level, to also address
deployment issues and shrink-wrap SW support.
**RY If I understand the role of the IETF WGs correctly it is not with
in our area to do those things.
One can note that the only PKIs working on a global scale, are building
on a one-to-one identity mapping between the entity's perceived identity
and the identity as expressed in the certificate. Yes, I of course refer to
e-mail and web-server certificates. Other aspiring users of PKI, like
e-commerce, have not even *begun* to look into the naming issue as
apparently nobody feels that it is "their business". Who are we waiting for?
The IETF, OASIS, W3C, EU, or the UN? Or are we maybe waiting for
Microsoft and VeriSign? I believe the two latter will do this 4US as the
standards committees seem to be out of ideas, direction, competence and
ambitions. We will some time in the future, be discussing in this very list,
the s.c. "completely broken MS/VS-scheme", that then will be the de-facto
PKI naming standard. :-)