There are definitely some of us who do not want the checking against From
address to be mandatory. Someone just pointed out to me that S/MIME objects
will be carried in HTTP, where email address is not an issue. That is the
issue that must be decided on the list.
At 09:50 PM 12/16/97 -0800, Blake Ramsdell wrote:
On Tuesday, December 16, 1997 3:51 PM, Anil R. Gangolli
Elliott N Ginsburg wrote:
There are several issues to be addressed in this draft:
1) Should there be mandatory processing of email addresses in
Yes, we discussed this at length in forming the current draft. I believe
agreed that we should make a check mandatory, but there was well-
resistance toward putting anything about how success or failure of this
check would end up at any presentation or application layer. It was
this was outside the scope of the spec.
We had another discussion about this at the WG meeting in DC. I believe
that Jim Schaad and I come down on the side of "the RFC822 name is
unauthenticated, so any comparison to information in the certificate is
interesting, but not necessarily useful."
I don't know if there is any further action we should take with this,
but the rathole detector went off during the WG meeting and we squashed
the discussion (Paul suggested we should bring it up on the list, which
has happened). As you point out, perhaps more discussion in the
Security Considerations section would be useful.
Blake C. Ramsdell
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103 Fax +1 425 882 8060
Elliott N Ginsburg