David, I'm not sure what you *would* put in the signature and the cert,
then. When I receive a signed message, I want to verify that it came from
someone I trust. The "came from" information is in the unauthenticated
RFC822 headers. With some DN in the signature and cert, I can verify that
the signature was made by someone our mutually-trusted CA says it does, but
there is no binding between that and the message I received.
My question is, if we don't use mail addresses in mail signatures and
certs, what do we use? Or, are you suggesting we say "you cannot validate
signatures on email as being associated with them messages"?
--Paul Hoffman, Director
--Internet Mail Consortium