ietf-smime
[Top] [All Lists]

RE: Comparing email header fields with certificate contents...?

1997-07-04 06:01:00


----------
From:  John Gardiner Myers[SMTP:jgmyers(_at_)netscape(_dot_)com]
Sent:  Wednesday, July 02, 1997 9:04 PM
To:    ietf-smime(_at_)imc(_dot_)org
Subject:       Re: Comparing email header fields with certificate contents...?

Ron Craswell wrote:
"At a minimum, either the Distinguished Name used to identify an
Internet mail entity MUST include an Internet mail address, or some
other mechanism MUST be implemented in the user agent to provide for
mapping Distinguished Names to Internet mail address."

It seems apparent that this will generate a set of CAs that are creating
certs without an internet-style EA attribute (under the assumption that
the user agent will handle the mapping) and a set of user agents that
will assume they don't have to handle the mapping (under the reverse
assumption.)

Shouldn't either one or the other case be mandated?

I'll agree with that.

I'll vote for the UA mapping.

We don't vote in the IETF, we present arguments to support our
positions.

S/MIME is primarily a security system for internet messages.  Internet
messaging identities are in the form of RFC 822 addresses.  It is thus
entirely reasonable and preferable to require that systems which provide
identity certification for the internet to deal with internet (rfc822)
identities.

Also, using a mapping system raises concerns about security and trust
weaknesses in the mapping system.

Michel Ranger wrote:
I vote for UA mapping as well.  Some CAs or companies may want to issue
certs that are not e-mail specific, where an e-mail address would not be
appropriate to enforce as mandatory.

There is at least an order of magnitude more UAs than CAs.  The cost of
saving the CAs the work causes an inordinate amount of extra work to be
borne by the UAs.  This is backwards.

CAs are by definition in the business of asserting things about
identity.  If a CA wants to issue certs that are useful for e-mail, it
is not unreasonable to expect them to assert something about the e-mail
identity.
I guess instead of voting again, I'll elaborate my arguments.

As everything else, it depends on your perspective. 
The consumer internet space is quite different from the corporate space.
A CA that wants to issue as many certs per user, per year, per
application,
will have a much different perspective, than someone running a CA within
a company that does not want a management nightmare in dealing with a
short certificate half-life.

If you are a CA issuing identities to employees, and e-mail UAs force
you to
provide e-mail addresses, ISAKMP/IPsec forces you to include 
your IP address, your fax number, your department number, 
 and all sorts of other application info, your certificate
half-life could be weeks instead of months or years. ( ie similar to
getting a new 
badge everytime a new application rolls out, or a piece
of information changes ).

This is over and above the cost argument.  Then think about the possible
list of certificate every user has, and god knows for which application,
the
growth of CRLs, the number of passwords. The number of passwords are
what
certificate based systems are  supposed to reduce, not increase.

Our products will allow you to specify the e-mail address, as an option,
but it is 
optional. As a matter of CA CPS, many of our customers , won't include
the e-mail address
in the certificate, as a matter of policy.  Others will include it, for
convenience or assertion
purposes as you mention.  In summary, it is a policy and environment
specific decision.

Hope this helps,

Michel