I have been debating this with myself for a couple of weeks now, and
after talking to some of the other S/MIME developers at the IMC S/MIME
interop event I am going to raise this issue.
It is unclear to me that we should be suggesting/requring support for
building certificate chains on any thing other than the Subject/Issuer
DN chaining. This means that I am proposing that we will eliminate all
text which is refering to the use of subjectAltName and issureAltName
for the building of certificate chains.
I think that for the S/MIME V3 spec. we need to look closer at the set
of certificate chaining models which are proposed by the PKIX people.
However at this time I think that the set of models is sufficiently
unclear that we don't want to push any given model. Given that the DN
chaining is a MUST under the current spec and any other methods do not
provide ensured compatability I think that we should remove them.
Suggested Changes:
Section 2.3
Receiving agenst [sic] MUST support chaining based on the distinguished
name fields. Other methods of building certificate chains may be
supported but are not currently recommended.