----------
From: Ron Craswell[SMTP:ronc(_at_)deming(_dot_)com]
Sent: Friday, June 20, 1997 11:53 AM
To: 'ietf-smime(_at_)imc(_dot_)org'
Cc: Blake Ramsdell
Subject: RE: Comparing email header fields with certificate contents...?
This remark from Weston is from smime-dev:
On Friday, June 20, 1997 8:05 AM, Nicolls, J. Weston
[SMTP:jwnicol(_at_)missi(_dot_)ncsc(_dot_)mil] wrote:
A good secure email application should not make the recipient rely on an
untrusted email address or make comparing the cert alt-name to the given
email address a critical part of the cert path processing. The app should
provide the DN of the validated user cert to the recipient (perhaps in the
same line/area as the From line) since that is what tells the recipient who
cryptographically sent the message.
Which brings up a question I have with the following:
"At a minimum, either the Distinguished Name used to identify an
Internet mail entity MUST include an Internet mail address, or some
other mechanism MUST be implemented in the user agent to provide for
mapping Distinguished Names to Internet mail address."
It seems apparent that this will generate a set of CAs that are creating
certs without an internet-style EA attribute (under the assumption that
the user agent will handle the mapping) and a set of user agents that
will assume they don't have to handle the mapping (under the reverse
assumption.)
Shouldn't either one or the other case be mandated? I'll vote for the
UA mapping.
I vote for UA mapping as well. Some CAs or companies may want to issue
certs that are not e-mail specific, where an e-mail address would not be
appropriate to enforce as mandatory.
Ron Craswell
Deming Internet Security