John,
The issue is we don't want addresses in certs because it shortens their
life, but we need some authenticated way of knowing how to reply to whoever
sent the mail and real names are not unique. The 822 headers are outside
the hash and get screwed with by all and sundry.
while I certainly do agree with the second part of above's sentence I
don't think that the first part is quite correct. How often do (email)
addresses change in reality and how often would one apply for a new cert
to be issued? I do think that the latter will happen more often by
comparison so I can't see why addresses within a cert should shorten
their validity period. On the other hand, if the address changes one
would need a new cert in a lot of cases anyway.
Am I missing something?
Perhaps what we need is reply to or originator info inside the hash but not
in the cert. That means you can be sure that the sender intended that
address to be in the mail and the sender can change address at will without
needing a new cert. (I'm having a strong urge to duck and run for cover
after saying that :-)
Well, this sounds like a good idea to me.
Cheers,
Stefan.
______________________________________________________________________________
Stefan Kelm
<kelm(_at_)pca(_dot_)dfn(_dot_)de>
DFN-PCA, University of Hamburg http://www.pca.dfn.de/~kelm/
Vogt-Koelln-Str. 30 "finger
kelm(_at_)www(_dot_)pca(_dot_)dfn(_dot_)de" to get my PGP key
22527 Hamburg (Germany) Tel: +49 40 5494 2262 / Fax: +49 40 5494 2241