I don't have a best practice reference. It might have been mentioned here schneier.com/books/applied_cryptog... but I only read about a third of that book back in 1998. If I recall, I asked a very experience dev how it was done and he mentioned it was done that way (the guy I asked used to work on a S/MIME toolkit back in the day).
My solution worked when I tested it but it never actually shipped. The company I worked for folded (for other reasons!) before it was deployed.
I don't have a best practice reference. It might have been mentioned here schneier.com/books/applied_cryptog... but I only read about a third of that book back in 1998. If I recall, I asked a very experience dev how it was done and he mentioned it was done that way (the guy I asked used to work on a S/MIME toolkit back in the day).
My solution worked when I tested it but it never actually shipped. The company I worked for folded (for other reasons!) before it was deployed.
Thanks for the prompt response and the great article.