ietf-smime
[Top] [All Lists]

Re: Mail addresses in S/MIME certs

1999-12-21 08:49:01
Dear All,

I would see it as follows (but then again I am very new to this discussion
and maybe I am completely off track):

When two people are using the same email address, the email address is used
as a role which can be filled by more than one person. In this case there
will be a certificate for the role and certificates for each person. The
certificates for the people will be used in private (or mail sent on
personal title) situations, while the certificate for the role will be used
in correspondence for this role only.

This means that both persons can have two certs, i.e. one for the role and
one for themselves, and each of these certs has to be stored in a separate
account or something like that.

When it is used on this way there is no problem when having the
informational stuff in the subjectAltName.
Regards,

Frank Nolden
MaXware Benelux BV

----- Original Message -----
From: Paul Hoffman / IMC <phoffman(_at_)imc(_dot_)org>
To: <ietf-smime(_at_)imc(_dot_)org>
Sent: Monday, December 20, 1999 22:35
Subject: Mail addresses in S/MIME certs


At the DC IETF meeting, Bob Jueneman brought up the issue of different
certs for the same address. For instance, two people might use one email
address and thus want different certificates. The current S/MIME and PKIX
specs allow the email address, not the informational kruft around it, in
the subjectAltName for a cert.

Do we want to change this? The arguments we heard against this in the PKIX
group included:
- A CA might check the validity of the email address but not the name
- The many formats for the additional information are incredibly confusing
and likely to promote lack of interoperability
The arguments in favor of using full addresses include:
- Ability for multiple people with access to the mailbox to have unique
certificates
- Increased identification for systems that do more than just check the
mailbox

Comments?

--Paul Hoffman, Director
--Internet Mail Consortium