At the S/MIME working group last week, some suggested that the requirement
for email addresses in certs should be removed. I agree with this and have
suggested wording to do so. I think we at least have to discuss this issue.
My customers do not want email addresses in certs.
There seems to be a lot of confusion caused by this issue. I'm trying
to work out where the problem really lies.
An oft quoted problem with the address in the certificate approach
is that a personmay legitimately use more than one address. Company
names also change, people change departments yet these need not
necessarily require a new certificate or private key.
Obviously proof of message origin is important, yet many S/MIME clients
conceal email addresses from the user unless display is specifically
requested. Maybe an S/MIME client that receives a signed message
should just display the distinguished name from the certificate and
ignore any information in the headers.
Providing an authenticated return address appears to me to be
important as well. Relying on the information in an unauthenticated
'reply-to' field seems unsatisfactory to me.
One solution to this problem is to simply require an email address in
the certificate. A better one may be to provide a means of identifying
the 'reply-to' address within the signed envelope, possibly as an
attribute. Then the user can overide it if necessary.