...

gateways, and suddenly people using auto-encrypting mail programs find that no-one can read their posts.

Presence on a keyring means that a key exists, not that the owner of a key has a policy that it should always be used, or that it should be used by everybody. Both PGP and PEM get this completely wrong. Not every key will be used for every purpose. Mere existence of a key should not indicate permission to encrypt with it.

PGP lets you choose which key to use when you care, and doesn't care what's in the Name field; if you want to implement behavior inside of that it will handle it transparently; e.g. "Digicash: Eric Hughes <hughes@accounts.cayman.digibank.com>" (though it would be nice if it had more Unix-like regexp code for selecting keys).

No current cryptosystem has a way of specifying policy in a public key distribution system. I want separate keys for separate machines, Policy isn't really the cryptosystem's job; it's the application's.

...

Whatever solution we can find will have to involve active support from the keyservers I suspect. The key servers are just serving data. To add policy criteria to the key servers is to extend their functionality beyond their original intent.

The intent of keyservers is to have a convenient mechanism for finding keys when you want them. Having specific keyservers keep track of specific bunches of keys is a reasonable use of that convenience. Maybe a bankers' association would run a keyserver to serve keys for banks and (if appropriate) for customers, with the location known by most of the common software, and maybe a remailer operators' group would do the same for their remailer cooperative. There are a lot of wys to use mechanisms... Bill Stewart