From: John Gardiner Myers <jgmyers(_at_)netscape(_dot_)com>
Ron Craswell wrote:
Shouldn't either one or the other case be mandated?
I'll agree with that.
I'll vote for the UA mapping.
We don't vote in the IETF, we present arguments to support our
positions.
The identity associated with an email address is derived primarily by
the content that has historically been associated (in the mind of the
reader) with that address. If the email address were unique and
permanent, it might be suitable for use as a primary identity. But
email addresses typically change more often than Common Names, so
*requiring* the email address to be the primary identity is not
appropriate. (If email address is the most stable thing in your life,
more stable than your employer, your residence address, or your ISP,
then you as an individual could choose to make it your Certified
primary identity for personal communications. In that case, the
mapping from identity to email address is trivial. But it is still a
mapping.)
When attribute certificates come into common use, it would be appropriate
to use them to provide a Certified mapping from identity to email address.
But if the only choice is between 1) using email as the primary identity
and mapping other attributes (public key, DN, etc) to it, and 2) requiring
the user and the UA to maintain a mapping from identity to email address,
I'll choose 2.
In addition, CAs issuing certificates online typically call those
certificates "zero assurance", because the only thing they prove is
that on a particular date a keyholder can get a copy of email sent to
that address. If the CA is only certifying a (one-time) association
between a key and an email address, that is a pretty weak assertion.
Certainly not something I'd pay money for :-).
Summary:
1) User agents MUST be able to map certified identities (DNs) to
email addresses, under control of the user.
2) User agents MAY support certified mapping of identity to email
address, using attribute certificates.
3) User agents MAY use the email address from the subjectAltName extension
(of a normal certificate) but MUST NOT require it to be present.