ietf-smime
[Top] [All Lists]

The address-in-certs issue

1997-12-26 14:47:02
I have been following the discussions on this issue for a while and am
now ready to add my opinion and questions to the mix.

1.  It is my firm belief that all certificates should contain a name,
either as the subject name or as an alternate subject name that is in
the domain which is being dealt with application under question.  As
S/MIME is specified primarily as an Internet Mail system, this would
imply that RFC 822 e-mail names should be present in a subjectAltName
extension.  

I would expect that applications such as SHTTP would specify what they
consider their domain of names to be and require that a certificate
include this information.  (For SHTTP either a URI or an RFC 822 name
would both be reasonable.)  The Microsoft Exchange Key Management server
includes as the subject name the mailbox name associated with the
certificate, thus leading to a different way in which a domain specific
name is bound the certificate.  An X.400 mail system would require that
an X.400 name be contained in the certificate.  If the mail was expected
to go between an X.400 mail system and the internet, both the X.400 and
RFC 822 name would be present in the certificate as it would be used in
both naming domains.

2.  A question:  It appears to me that one of the arguments that is
currently being pressed as to why certificates should not include such
things as an e-mail name is lifetime of a certificate.  Is it possible
to use attribute certificates to solve this problem?  The concept would
be to allow for a longer lifetime certificate while giving us a shorter
lifetime certificate which could be re-bound on a more frequent basis.
The assumption that I am working under is that the Certs draft would say
that a certificates attributes would be determined first by the
attribute certificate and then by the real certificate.  I don't know
enough about attribute certificates to understand if this is a good or a
bad idea.

3.  It is my firm belief that our document should make no specific
statements on how the domain specific name should be used.  This should
be entirely left up to the MUA and not be specified by us.  If we were
to specify anything at all, I would recommend that it runs along the
following lines:

"It is recommended that MUAs provide decision logic (or user)
information about the primary domain name from the certificate used to
verify the signature.  This specification does not provide any direction
as to what should be done with this identity."

jim schaad


<Prev in Thread] Current Thread [Next in Thread>