From: Elliott N Ginsburg <ginsburg(_at_)mitre(_dot_)org>
To: Blake Ramsdell <BlakeR(_at_)deming(_dot_)com>;
<gangolli(_at_)StructuredArts(_dot_)com>; 'Elliott N Ginsburg'
Cc: 'ietf-smime(_at_)imc(_dot_)org' <ietf-smime(_at_)imc(_dot_)org>
Date: Wednesday, December 17, 1997 7:52 AM
Subject: Re: Checking the From address against the cert (was RE:
There are definitely some of us who do not want the checking against From
address to be mandatory. Someone just pointed out to me that S/MIME objects
will be carried in HTTP, where email address is not an issue. That is the
issue that must be decided on the list.
I think the desired MUA actions look like this:
If there is a signature use it when displaying "from" info.
else use the regular mail headers and warn about
unauthenticated sender (this for encrypted only data)
On reply if there are multiple addresses AND they are
different prompt user to pick one (indicating which
one is authenticated).
In other words I think the signature supersedes the mail headers. I also
think most of this stuff is SHOULD's not MUST's since so much of it depends
on what the user is trying to do.
All that said S/MIME is a transport - why are we taking about user agent
actions? It's one thing to say the MUA must be able to process a particular
type of data, saying what it should do with it, particularly data from other
protocols seems odd to me.
Lastly - IMHO whatever we do should provide for the case where no
From:/Sender: line is supplied (non smtp transport).
Description: S/MIME cryptographic signature