Ah. So maybe this should be worded "IF you implement keypair
generation
AND you are submitting the public key to a CA THEN you MUST use..."
Sorry to jump in on a conversation half way through. But I'm a little
worried about the above statement. Is there a compelling issue
of compatibility here? Is that issue enforceable?
In general a MUST refers to something that must be supported. MUST
use is a pretty infrequent requirement. I am somewhat concerned that
in an enterprise environment there might be a good need to
support use of some other certificate request mechanism and yet
still produce a product that is 100% interoperable with other S/MIME
implementations.
I would not like to see support for our OnSite or other shipping
solutions suddenly make a product inelligible to call itself S/MIME.
The statement "Clients supporting key generation MUST support..."
appears nearer to what people intend.
Phill
Phillip M Hallam-Baker
Principal Consultant
VeriSign Inc
P.S. As people might notice I'm no longer at MIT, the AI lab or the
Web consortium.