ietf-smime
[Top] [All Lists]

Re: Comparing email header fields with certificate contents...?

1997-07-02 18:01:28
Ron Craswell wrote:
"At a minimum, either the Distinguished Name used to identify an
Internet mail entity MUST include an Internet mail address, or some
other mechanism MUST be implemented in the user agent to provide for
mapping Distinguished Names to Internet mail address."

It seems apparent that this will generate a set of CAs that are creating
certs without an internet-style EA attribute (under the assumption that
the user agent will handle the mapping) and a set of user agents that
will assume they don't have to handle the mapping (under the reverse
assumption.)

Shouldn't either one or the other case be mandated?

I'll agree with that.

I'll vote for the UA mapping.

We don't vote in the IETF, we present arguments to support our
positions.

S/MIME is primarily a security system for internet messages.  Internet
messaging identities are in the form of RFC 822 addresses.  It is thus
entirely reasonable and preferable to require that systems which provide
identity certification for the internet to deal with internet (rfc822)
identities.

Also, using a mapping system raises concerns about security and trust
weaknesses in the mapping system.

Michel Ranger wrote:
I vote for UA mapping as well.  Some CAs or companies may want to issue
certs that are not e-mail specific, where an e-mail address would not be
appropriate to enforce as mandatory.

There is at least an order of magnitude more UAs than CAs.  The cost of
saving the CAs the work causes an inordinate amount of extra work to be
borne by the UAs.  This is backwards.

CAs are by definition in the business of asserting things about
identity.  If a CA wants to issue certs that are useful for e-mail, it
is not unreasonable to expect them to assert something about the e-mail
identity.