One of the things that ArmorMail products have done from
the start is based upon some Military message requirements.
We include the From:, To: and cc: addresses along with the
date as part of the signed message body. This is because
of a requirement to know who the message was really
sent to for action, as well as who else was copied on the
message -- as part of the trusted content.
The format of the address that we put in the header was
argued for quite some time, and it was decided by a
consensus of our customers that the "alias" (which is usually
the name of the individual) is what they want to see. This
information in combination with display of the signer's DN,
along with optional display of the certificate hierarchy, gives
the user all the information they need to make any judgment
calls they wish, without having to worry about rfc822 addresses
or how the mail got there.
From: Phillip M Hallam-Baker[SMTP:pbaker(_at_)verisign(_dot_)com]
Sent: Wednesday, December 17, 1997 11:49 AM
To: gangolli(_at_)structuredarts(_dot_)com; Elliott N Ginsburg
Subject: Re: draft-ietf-smime-cert
One solution to this problem is to simply require an email address in
the certificate. A better one may be to provide a means of identifying
the 'reply-to' address within the signed envelope, possibly as an
attribute. Then the user can overide it if necessary.