David P. Kemp wrote:
The identity associated with an email address is derived primarily by
the content that has historically been associated (in the mind of the
reader) with that address. If the email address were unique and
permanent, it might be suitable for use as a primary identity. But
email addresses typically change more often than Common Names, so
*requiring* the email address to be the primary identity is not
appropriate.
But Common Names are far from being unique, so utterly fail to be
suitable for use as a primary identity.
In your argument, you compare the permanency qualities of email
addresses with Common Names, then assert that DNs are therefore are more
suitable than email addresses. This arugment is bogus becuase DNs are
not the same as Common Names. DNs contain Common Names, but since
Common Names do not fit the uniqueness requirement, DNs contain other
information. This other information changes about as often as (if not
more frequently than) the email address, so DNs taken as a whole have no
better permanency properties than email addresses.
(If email address is the most stable thing in your life,
more stable than your employer, your residence address, or your ISP,
then you as an individual could choose to make it your Certified
primary identity for personal communications.
Historically my published email address has been more stable than any of
my employer, residence address, or ISP.
In US culture, none of employer, residence, or ISP are even close to
being stable over a person's life. Even Common Name isn't completely
stable for almost half the population. Then there are other cultures to
consider.
In that case, the
mapping from identity to email address is trivial. But it is still a
mapping.)
And the mapping from the combination of Common Name and any of the above
to an identity is similarly a mapping. Sometimes the mapping is not
unique.
The identity that UAs care about *is* the email address. It is
reasonable to require this information be provided by the CA.
When attribute certificates come into common use, it would be appropriate
to use them to provide a Certified mapping from identity to email address.
But if the only choice is between 1) using email as the primary identity
and mapping other attributes (public key, DN, etc) to it, and 2) requiring
the user and the UA to maintain a mapping from identity to email address,
I'll choose 2.
Again, there are far fewer CAs than UAs in the world, and CAs are better
equipped to deal with issues of identity.
In addition, CAs issuing certificates online typically call those
certificates "zero assurance", because the only thing they prove is
that on a particular date a keyholder can get a copy of email sent to
that address. If the CA is only certifying a (one-time) association
between a key and an email address, that is a pretty weak assertion.
Certainly not something I'd pay money for :-).
I'd certainly be unwilling to pay for any messaging cert that doesn't at
least give me this assertion. I could care less about wheter you're
"David P. Kemp" at a certain residence or "David P. Kemp, Jr." at the
same or other residence, I care whether or not a message is from or to
the same thing as was the last time I interacted with whatever
"dpkemp(_at_)missi(_dot_)ncsc(_dot_)mil" is.
Now, if "missi.ncsc.mil" gave better information to the CA doing the
certification, or if "missi.ncsc.mil" was the CA itself, then the
assurance the CA could provide would be stronger.