From: Russ Housley [mailto:housley(_at_)vigilsec(_dot_)com]
I'm still not clear whether S/MIME means "secure MIME used anywhere MIME
can be used, such as XMPP or BEEP" or S/MIME means "secure MIME used for
interpersonal email messaging". Depending on the answer, you will get
different answers if it's necessary to clarify any language about the
absence of email addresses in the certificate.
I agree. S/MIME is already used in AS2 (secured EDI), in an HTTP based
protocol. From my point of view, S/MIME is only a way of wrapping data, and
should not be mixed with the transport. So, managing e-mail addresses, or
URIs, or anything concerning transport is a problem when implementing an
S/MIME module that can be used in both (or more) contexts. I am presently
developping such a module, and facing such issues. And the only solution is
to let upper modules (AS1, AS2, S/MIME secured SMTP,...) handle the
constraints brought by the transport layer, or just ignore them, which is
the case with the subjectAltName. I'm sorry not to be compliant with the
SHOULD statement we are discussing, but what can I do?