Paul Hoffman / IMC wrote:
At the DC IETF meeting, Bob Jueneman brought up the issue of different
certs for the same address. For instance, two people might use one email
address and thus want different certificates. The current S/MIME and PKIX
specs allow the email address, not the informational kruft around it, in
the subjectAltName for a cert.
Do we want to change this? The arguments we heard against this in the PKIX
group included:
- A CA might check the validity of the email address but not the name
- The many formats for the additional information are incredibly confusing
and likely to promote lack of interoperability
The arguments in favor of using full addresses include:
- Ability for multiple people with access to the mailbox to have unique
certificates
- Increased identification for systems that do more than just check the
mailbox
Comments?
--Paul Hoffman, Director
--Internet Mail Consortium
Count me in the
"The many formats for the additional information are incredibly
confusing and likely to promote lack of interoperability"
camp. This, combined with the fact that that cruft is almost infinitely
changeable today, and almost never checked by anybody, seems to me to be
a sure guarantee of interoperability problems.
I don't have any philosophical objections to allowing this, though, and
if the S/MIME vendors are convinced that they can get it right and make
it all interoperate, I'm willing to be outvoted. But it just strikes me
as begging for a failure to communicate.
Al Arsenault