[Top] [All Lists]

Re: Checking the From address against the cert (was RE: draft-ietf-smime-cert)

1997-12-17 09:01:19
There are definitely some of us who do not want the checking against From
address to be mandatory. Someone just pointed out to me that S/MIME objects
will be carried in HTTP, where email address is not an issue. That is the
issue that must be decided on the list.

elliott ginsburg

At 09:50 PM 12/16/97 -0800, Blake Ramsdell wrote:
On Tuesday, December 16, 1997 3:51 PM, Anil R. Gangolli
[SMTP:gangolli(_at_)StructuredArts(_dot_)com] wrote:
Elliott N Ginsburg wrote:

There are several issues to be addressed in this draft:
1) Should there be mandatory processing of email addresses in

Yes, we discussed this at length in forming the current draft.  I believe
it was
agreed that we should make a check mandatory, but there was well-
resistance toward putting anything about how success or failure of this
check would end up at any presentation or application layer.  It was
this was outside the scope of the spec.

We had another discussion about this at the WG meeting in DC.  I believe
that Jim Schaad and I come down on the side of "the RFC822 name is
unauthenticated, so any comparison to information in the certificate is
interesting, but not necessarily useful."

I don't know if there is any further action we should take with this,
but the rathole detector went off during the WG meeting and we squashed
the discussion (Paul suggested we should bring it up on the list, which
has happened).  As you point out, perhaps more discussion in the
Security Considerations section would be useful.

Blake C. Ramsdell
Worldtalk Corporation
For current info, check
Voice +1 425 882 8861 x103  Fax +1 425 882 8060

Elliott N Ginsburg

<Prev in Thread] Current Thread [Next in Thread>