3.4.1.4 Facilitating Interoperation

In the absence of ubiquitous directory services or knowledge (acquired through out-of-band means) that a recipient already possesses the necessary issuer certificates, it is recommended that an originating (PEM) UA include sufficient certificates to permit validation of the user's public key. To this end every PEM UA must be capable of including a full (originator) certification path, i.e., including the user's certificate (using the "Originator-Certificate" field) and every superior (CA/PCA) certificate (using "Issuer- Certificate" fields) back to the IPRA, in a PEM message. A PEM UA may send less than a full certification path, e.g., based on analysis of a recipient list, but a UA which provides this sort of optimization must also provide the user with a capability to force transmission of a full certification path.

Optimization for the transmitted originator certification path may be effected by a UA as a side effect of the processing performed during message submission. When an originator submits an ENCRYPTED message (as per RFC 1421, his UA must validate the certificates of the recipients (see Section 3.6). In the course of performing this validation the UA can determine the minimum set of certificates which must be included to ensure that all recipients can process the received message. Submission of a MIC-ONLY or MIC-CLEAR message (as per RFC 1421) does not entail validation of recipient certificates and thus it may not be possible for the originator's UA to determine the minimum certificate set as above.