Assume that I sign a document's digest with 'openssl dgst -sign ...' and distribute the document with the signature. How can I help recipients to find a corresponding certificate (i.e., one that contains a public key to successfully verify the signature and usually which also contains some identity information that has a relation to the document)? If a recipient has a list of trusted certificates, without any additional information, it looks like he has to resort to check each and every of his trusted certificates, to see which one fits.
S/MIME solves that by including the certificate in the document. I do not want this in my application. AFAIK, GnuPG solves a similar issue by including a key ID. I thought that maybe including the certificate _fingerprint_ would be a good idea, when using OpenSSL. Then, recipients can sort their trusted certificates by fingerprint. However, it appears to be common practice to sort certificates by their _subject hash_ instead. What is the reason for using the subject hash instead of the certificate fingerprint? Thank you for a clarification! Lasse
pgpvWHQ069KLM.pgp
Description: PGP signature
