[Top] [All Lists]

RE: Checking the From address against the cert (was RE: draft-ietf-smime-cert)

1997-12-17 16:10:37
On Wednesday, December 17, 1997 8:04 AM, Elliott N Ginsburg
[SMTP:ginsburg(_at_)mitre(_dot_)org] wrote:
There are definitely some of us who do not want the checking against From
address to be mandatory. Someone just pointed out to me that S/MIME
will be carried in HTTP, where email address is not an issue. That is the
issue that must be decided on the list.

I get it.

The current language is as follows (from section 3.1):

Sending agents SHOULD make the address in the From header in a mail
message match an Internet mail address in the signer's certificate.
Receiving agents MUST check that the address in the From header of a
mail message matches an Internet mail address in the signer's
certificate. A receiving agent MUST provide some explicit alternate
processing of the message if this comparison fails, which may be to
reject the message.

Anil pointed out that the current language was very carefully worded --
"You MUST do the check, but what you do as a result of the success or
failure of that check is up to you".  I don't know why this isn't
adequate, but I'm willing to keep discussing it if someone can point out
why it isn't.  In the case of HTTP, you MUST do the check (which MAY
fail), and then you take MUST take some action (which is nothing, since
HTTP doesn't care about email address).

Did I miss the boat?

Blake C. Ramsdell
Worldtalk Corporation
For current info, check
Voice +1 425 882 8861 x103  Fax +1 425 882 8060

<Prev in Thread] Current Thread [Next in Thread>