[Top] [All Lists]

RE: Re: Problem for public CAs

2000-02-15 03:25:31
Just to play Devils advocate...
There is a third address to be considered, the Reply-to. This is a specific 
request from the originator of the message to reply to another address. If it 
is present we ought not reply to either of the other 2 addresses.


Bartley O'Malley
Citibank NA
Lewisham House
25 Molesworth Street
SE13 7EX

Tel +44-020-7500-6473
Fax +44-020-7500-8880

-----Original Message-----
From: phoffman [SMTP:phoffman(_at_)imc(_dot_)org]
Sent: Tuesday, February 15, 2000 12:01 AM
To: ietf-smime
Cc: phoffman
Subject: Re: Problem for public CAs

At 04:10 PM 2/14/00 -0700, Bob Jueneman wrote:
Instead, in the case of a signed message the From address should be viewed
as secondary, and the certificate contents the primary information.

 From a security standpoint, this is right. From a UI standpoint, it might 
not be. Assume I have a different email address in my cert than in the 
From: header of a message I send you, that your S/MIME client has informed 
you of that, and you agreed. Now you want to reply to my message. You 
probably don't want to reply to the email address in my cert, but you 
might. There are essentially two From vales: the certificate one and the 
insecure-and-possibly-altered one.

Of course, we have to face the fact that NEITHER the DN nor the RFC822 address
may be particularly relevant or informative.

Exactly right.

And, no, I'm not proposing a solution here.

--Paul Hoffman, Director
--Internet Mail Consortium

<<attachment: WINMAIL.DAT>>

<Prev in Thread] Current Thread [Next in Thread>