At the DC IETF meeting, Bob Jueneman brought up the issue of different
certs for the same address. For instance, two people might use one email
address and thus want different certificates. The current S/MIME and PKIX
specs allow the email address, not the informational kruft around it, in
the subjectAltName for a cert.
Do we want to change this? The arguments we heard against this in the PKIX
group included:
- A CA might check the validity of the email address but not the name
- The many formats for the additional information are incredibly confusing
and likely to promote lack of interoperability
The arguments in favor of using full addresses include:
- Ability for multiple people with access to the mailbox to have unique
certificates
- Increased identification for systems that do more than just check the mailbox
Comments?
--Paul Hoffman, Director
--Internet Mail Consortium