One could make the argument that CMS is intended for use by application
environments other than S/MIME some of which may choose to use a format
other than the X.509 Certificate syntax. In that case, it may be
appropriate to make Jim's recommended changes to the CMS format, but to
include text in the S/MIME v3 Message and Cert specs stating that only X.509
Certificates can be used in S/MIME messages.
I believe that this is correct. If we can do it without torture, we should
allow other cert types without specifying them. We already say "MUST use
PKIX-style certs" in the S/MIME certs draft, so there won't be any
questions what you have to use in order to interoperate, but we should make
it easy (if we can) to allow expansion for non-S/MIME use of CMS.
--Paul Hoffman, Director
--Internet Mail Consortium