Yes, but just what is it that is cryptographically bound? In many cases,
requests for a certificate are submitted via mail and the certificate is
returned by mail (or at least the notification that the certificate is ready).
We are starting to cross the line of the CA's policy. It seems to me that the
approach to both Signature Verification and the faith put in non-disclosure have
been far too simplified. In cases where the CA Policy is based solely on the
e-mail address then it makes sense that ALL that is cryptographicalyly bound IS
the e-mail address and this have no relevance at all to the source's claimed
identity. If you want more than that then you should not trust such a CA, and
the binding should be to some other credential which must somehow be
incorporated into the message.
Russ,
Please describe a security vulnerability that is caused by lack of
email address in subjectAltName.
* In the case of authentication:
I sign my own messages with (one of) my own certs. The subject name of
my cert is displayed to the recipient when the message signature is
validated. What vulnerability is introduced if a message signed by
"C=US ... CN=David Kemp" comes from any email address, or mail list
address, in the world? The "from" and "reply-to" fields are both
irrelevant to the authentication.
* In the case of confidentiality:
I want to send a message to "C=CA ... CN=Joe Smith". I look up Joe's
email address in my address book, which might be correct or incorrect.
If Joe receives the message using whatever email address I have for him,
he can read the message. If my address book is incorrect and Fred
receives the message, he can't read it because he doesn't have Joe's
private key.
It seems to me that if there are security vulnerabilities, they are
the result of a flawed HMI, not a flawed certificate profile. If
the HMI does not associate the subjectName with the message to which
it is cryptographically bound, you will have vulnerabilities.
Dave