Larry:
The issue is whether someone can send confidential
information to the subject of the certificate. If there is no
email address they are not going to be able to use it for
S/MIME.
I may have missed something here. Is there an OID or
something in the X.509 certificate that identifies it as an
S/MIME certificate?
No.
This is the real problem. But consider what happens if there is
no email address in the cert - you don't know how to contact the
person.
This is like saying that without caller id, you don't know how to
call someone because you don't know what there phone number
is.
If we want to include an e-mail address in the certificate, then it should
be included as an rfc822Name in subjectAltName.
Another point -- If I am using a non-Internet client i.e. Microsoft
Mail, and I am sending to a person inside of my local enclave, My
client knows nothing about any RFC822 addresses. That only
comes into play when I send it out through a gateway.
The gateway has some mechanism for translating proprietary names to RFC 822
addresses. Perhaps the same translation can be performed by the client.
If not all of the informatio is available to the client, then the client
wil have to deise another machnaism. I see this as no different than
dealing with a certificate that does not include any rfc822Name.
Russ