ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: draft-ietf-smime-cert

1997-12-17 08:57:04
from [Elliott N Ginsburg] [Permanent Link] 
At the S/MIME working group last week, some suggested that the requirement
for email addresses in certs should be removed. I agree with this and have
suggested wording to do so. I think we at least have to discuss this issue.
My customers do not want email addresses in certs.

elliott ginsburg 


At 03:51 PM 12/16/97 -0800, Anil R. Gangolli wrote:

Elliott N Ginsburg wrote:


There are several issues to be addressed in this draft:
1) Should there be mandatory processing of email addresses in certificates


Yes, we discussed this at length in forming the current draft.  I believe

it was

agreed that we should make a check mandatory, but there was well-warranted
resistance toward putting anything about how success or failure of this
check would end up at any presentation or application layer.  It was agreed
this was outside the scope of the spec.

The end result was a rather weak statement in the Security Considerations 
section.  I agree there is some room for making this stronger.


2) The processing descriptions must recognize that not only do receiving

agents process certificates during signature validation, but sending agents
process certificates used for encryption.


Yes, we had the same comment on the last (pre-)draft.


3) The current PKIX profile recommends that subject, if not null,

contain a Directory Name;

   and that an email address, if present, be in subjectAltName.


[ alot of other worthwhile text deleted ]

Yes, and I agree with the PKIX recommendation here.
The current SMIME draft was intended to compromise to allow for the fact

that existing 

implementations and many "e-mail certs" already out there are using 
PKCS-9 EmailAddress (aka "E") in the DN for this purpose.

I think the right approach is to recommend roughly that issuers SHOULD put
e-mail addresses in the subjectAltName extension and that SMIME

implementations

MUST look for them in both places.  Eventually one hopes for a transition to
use of the extension.

--a.


-- 
Anil R. Gangolli
Structured Arts Computing Corp.
http://www.StructuredArts.com
mailto:gangolli(_at_)StructuredArts(_dot_)com





Elliott N Ginsburg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: S/MIME counter-signature: comment and question -Reply, EKR
Next by Date:  Re: Checking the From address against the cert (was RE: draft-ietf-smime-cert), Elliott N Ginsburg
Previous by Thread:  Re: draft-ietf-smime-cert, Anil R. Gangolli
Next by Thread:  re: draft-ietf-smime-cert, Kent . Lancaster
Indexes:  [Date] [Thread] [Top] [All Lists]