Also keep in mind that many users will not have access to such a
repository, either because they have e-mail only connectivity, or
they are running offline when reading their mail. It seems like
a bad idea to build the assumption into S/MIME that everyone is
always connected to the global internet.
David P. Kemp wrote:
From: Dr Stephen Henson <shenson(_at_)bigfoot(_dot_)com>
In the minimal case the user's certificate will not be provided. Also
since some of the CA's include the large disclaimers in the user
certificate this wont always help.
I agree with Steve. The issuer name and serial number contained in
SignerInfo is sufficient to retrieve the user's certificate from
a repository. If there were a global repository nothing more would
be needed. However, there isn't.
It would be useful to define an S/MIME "subjectCertRepository"
attribute: a URI with syntax IA5String (as used in GeneralName).
This attribute, along with issuer/serial and a suitable amount of
handwaving would allow the user's cert to be retrieved using
LDAP, ftp, http, etc.