David P. Kemp wrote:
From: John Gardiner Myers <jgmyers(_at_)netscape(_dot_)com>
So, we have clearly demonstrated a need to explicitly define a set of
mandatory minimum identifier syntaxes.
or, the equally meaningful "we have clearly demonstrated that
the sun rises every day".
In the message to which I was replying, Paul Hoffman was disagreeing
with this very point. He was espousing a position that it was OK for
the S/MIME specification to allow a conforming CA to issue certs
containing only DN's, yet allow UA's to only recognize RFC822 addresses.
Does anyone disagree that the mandatory-to-support identifier syntax
for S/MIME user agents includes { Name, rfc822Name }? (That is, an
S/MIME-compliant MUA must be capable of displaying, at a minimum, the
subject distinguished name, as well as two of the nine defined forms of
GeneralName.)
Yes, I disagree. First, it is necessary to constrain CA's such that
each cert they issue must contain at least one identifier with a syntax
in the mandatory minimum set. Otherwise, certs they issue may not
interoperate with UA's conforming to the mandatory-to-support identifier
syntax requirement.
(This "mandatory minimum" requirement could be more complex than
CA-must-include-one, UA-must-support-all, but we'll simplify for now.)
I agree that for the Internet Mail domain, the set contains no more
elements than { Name, rfc822Name }, but I further believe that in this
domain the set contains exactly { rfc822Name }. This position appears
to be shared by Jim Schaad, and I know it to be shared by other mail
vendors.
In domains other than Internet Mail, the set may well be completely
disjoint from { Name, rfc822Name }. Such domains would need to profile
the S/MIME specification.