On Wednesday, July 02, 1997 6:05 PM, John Gardiner Myers
[SMTP:jgmyers(_at_)netscape(_dot_)com] wrote:
S/MIME is primarily a security system for internet messages. Internet
messaging identities are in the form of RFC 822 addresses. It is thus
entirely reasonable and preferable to require that systems which provide
identity certification for the internet to deal with internet (rfc822)
identities.
Imagine that there is no UA mapping mechanism and certificates are bound
to people directly by the E-Mail Attribute. Now imagine that you just
paid 1000 digi-bucks for a VeriSign Class 20 certificate which required
you to undergo DNA testing and a polygraph scan. Now imagine your
e-mail address gets changed. Oh well... (or, heaven forbid, that you
have two e-mail addresses. Nevermind, nobody has more than one e-mail
address.)
All sarcasm aside, the important thing is to map your understanding of a
person's identity with the contents of the data they're sending you. If
your understanding is based on their e-mail address then that's an
appropriate binding. If, OTOH, it's based on a VISA number, or Driver's
License, or SSN, etc. then that's what's appropriate to be in the cert.
--
Ron Craswell
Deming Internet Security
<http://www.deming.com>