> I understand that non-email applications of CMS and the associated MIME
> types need other address forms. But, RFC2632bis does not tell an
> implementor what to do fir S/MIME (which is an email application) if the
> certificate does not contain an email address.
I'm still not clear whether S/MIME means "secure MIME used anywhere MIME
can be used, such as XMPP or BEEP" or S/MIME means "secure MIME used for
interpersonal email messaging". Depending on the answer, you will get
different answers if it's necessary to clarify any language about the
absence of email addresses in the certificate.
Once could make a statement about email and a separate statement about
other MIME-enabled applications if needed.
The relevant text about current processing rules seems to be:
Sending agents SHOULD make the address in the From or Sender header in
a mail message match an Internet mail address in the signer's
certificate. Receiving agents MUST check that the address in the From
or Sender header of a mail message matches an Internet mail address,
if present, in the signer's certificate, if mail addresses are present
in the certificate. A receiving agent SHOULD provide some explicit
alternate processing of the message if this comparison fails, which
may be to display a message that shows the recipient the addresses in
the certificate or other certificate details.
So if there are not any email addresses found in the certificate, this
is a mismatch (blank from the certificate doesn't match nonblank from
the From or Sender), and you should go crazy insane and show a hex dump
of the certificate.
We could clarify that "failure" includes the case where there are zero
email addresses in the certificate...
In practice, if there is not an email address in the certificate, the
client needs to have additional stuff to bind email addresses to
certificates. This could be done in an address book or elsewhere.
What needs to go in the document?