Elliott N Ginsburg wrote:
There are several issues to be addressed in this draft:
1) Should there be mandatory processing of email addresses in certificates
Yes, we discussed this at length in forming the current draft. I believe it was
agreed that we should make a check mandatory, but there was well-warranted
resistance toward putting anything about how success or failure of this
check would end up at any presentation or application layer. It was agreed
this was outside the scope of the spec.
The end result was a rather weak statement in the Security Considerations
section. I agree there is some room for making this stronger.
2) The processing descriptions must recognize that not only do receiving
agents process certificates during signature validation, but sending agents
process certificates used for encryption.
Yes, we had the same comment on the last (pre-)draft.
3) The current PKIX profile recommends that subject, if not null, contain a
and that an email address, if present, be in subjectAltName.
[ alot of other worthwhile text deleted ]
Yes, and I agree with the PKIX recommendation here.
The current SMIME draft was intended to compromise to allow for the fact that
implementations and many "e-mail certs" already out there are using
PKCS-9 EmailAddress (aka "E") in the DN for this purpose.
I think the right approach is to recommend roughly that issuers SHOULD put
e-mail addresses in the subjectAltName extension and that SMIME implementations
MUST look for them in both places. Eventually one hopes for a transition to
use of the extension.
Anil R. Gangolli
Structured Arts Computing Corp.