-----Original Message-----
From: HORII Naoto [mailto:Naoto(_dot_)Horii(_at_)swift(_dot_)com]
Sent: Monday, February 07, 2000 1:33 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Re: Problem for public CAs
Item 3 would typically be implemented by restricting the type of questions a
client can ask to the CA:
1) S/MIME certificates would be returned only if the subjectAltname is
unambiguously specified - e.g.
client: search certificate for
subjectAltname=lawsg(_at_)it(_dot_)postoffice(_dot_)co(_dot_)uk
server: OK, certificate=blah
client: search certificate for
subjectAltname=*(_at_)it(_dot_)postoffice(_dot_)co(_dot_)uk
server: ERROR, inavlid search key
For such a protection scheme to work, your directory server must obviously
be able to validate/
sanitize a search key against access rules - e.g. "no wildcards allowed in
search keys" - before
forwarding the search to your directory's backend engine.
<snip>
AWA: Of course, this doesn't work if you allow me an unlimited number of
queries to your directory. I'll just start with some of the more "obvious"
possibilities and work my way out; e.g.,
search for: certificate for smith(_at_)company(_dot_)com
certificate for jsmith(_at_)company(_dot_)com
certificate for smithj(_at_)company(_dot_)com
...
It's not real efficient, but hey, that's what computer programs are for. :-)
Sooner or later, I'll get a reasonable number of certs, and away I go. I'll
chew up a lot of network bandwidth and leave footprints all over your
directory, but if you let me search like this, it's worth it - if there's
money to be made in spamming, I don't care what it costs you for me to get
the addresses. :-)
Al Arsenault
-- insert usual disclaimer about this being my opinion, and not reflecting
the opinion of my employer or of any other organization with which I have a
relationship
-- insert second disclaimer: no, I don't spam, I don't like spam, I don't
harvest names to help somebody else spam;...