Piers, I certainly agree that the IETF is primarily concerned with protocols,
and not APIs and even less issues of look and feel.
However, what we are trying to do is to establish an infrastructure for _secure_
communications, and to a very large extent that security is quite literally in
the eye of the beholder.
To my mind, S/MIME today 'works" but is not "workable", in part because of the
difficulty in setting up the infrastructure, but in part because of trying to
get these kinds
of nuances right.
it could be argued that address verification isn't even necessary -- the user
could check the certificate whenever it seemed necessary.
But what I really don't want to see is a case where a naive user is tricked
accepting a signed message from "President William C. Clinton"
just because foo(_at_)bar(_dot_)com had previously been validated in a
So, I believe, the human factors issue is important, and at least as relevant to
this WG as any other standards issue where the word "SHOULD" is used.
Obviously Novell could go off and do its own thing in this space -- the Internet
police aren't going to prevent it if we support an additional user name in a
in the certificate, and choose to display it in GroupWise. But I'm trying to
raise all of the
boats, by making sure that the PKI and S/MIME products not only interoperate,
actually do something useful, and don't mislead people.
My two cents, anyway.
"Piers Chivers" <piers(_at_)bj(_dot_)co(_dot_)uk> 02/16/00 03:27AM >>>
I thought this group was concerned about protocol whereas what you are
describing is largely human-machine-interface issues. If we are going to
get into that arena I could argue that all signed receipts should be
displayed as green. I expect that suggestion would be unacceptable to those
who like red!
Having said that, I think the addressing issues need to be clarified. We
have the added complication of combining SMIME and X.400 where there are
both P1 and P2 addresses.
I mostly agree with your suggestions below but think they need to be worked
upon to become definitive. I'm not sure if this WG is the right forum for
The most difficult approach is to educate users that who routed the message
(the envelope addressees) is not necessarily the same as who generated the
content. Perhaps our UIs should improve to make this distinction more
Behalf Of Bob Jueneman
Sent: 16 February 2000 00:53
Subject: E-mail address validation
Paul and Bartley make a good point regarding who the reply should be sent
Although this a second order problem, it still appears to be a problem.
The first issue is what should be displayed as the confirmed
of the message. and I think we are beginning to get a handle on that
The second issue is one of routing the reply, and here there are so many
differences in the way replies are handled that I'm not even sure I
all of the problems, much less the solutions.
I do know that mail lists frequently mangle the From address, putting the
of the mail list in the cc list, etc., etc.
Likewise, people that have multiple accounts for a number of different
often use a single Reply-To address to consolidate responses.
And if the reply is encrypted, it seems a bit much to ask the sender to
read my mind as to which processor containing which certificate/key I am
to use to decrypt the response.
And finally, if this is a really serious security issue, which I'm not quite
that it is, what should be done about all of the other To, Cc, and Bcc
So let me take a stab at a revised solution that includes both problems,
although this may turn out to be only half-baked.
1. The UI for a signed message SHOULD display the originator's "real"
name, which may be further qualified, if desired. The originator's RFC822
from the certificate should also be displayed, and the DN as well, in that
preference if those fields are all supplied, but it must be recognized that
may be missing.
2. The UI SHOULD attempt to match the originator's RFC822 addr-spec address
the certificate to the From address of the message, and SHOULD flag a
but MUST NOT require that the RFC822 name be present in the certificate.
3. In the event of an encrypted message, including a reply to a From or
address, the To, Cc, and Bcc addresses SHOULD all be matched against the
RFC822 address in that user's certificate, HOWEVER THAT CERTIFICATE
WAS SELECTED, and SHOULD flag any mismatch with a warning message.
Does this take care of the problem? Do we need to say something about
checking the outgoing From or Reply-to addresses in the case of a signed
to make sure they conform to the user's certificate? If so, which
certificate -- the
signing certificate, or the encryption certificate?
Hmm. This gets more and more complicated.
<bartley.o'malleyy(_at_)citicorp(_dot_)com> 02/15/00 03:29AM >>>
Just to play Devils advocate...
There is a third address to be considered, the Reply-to. This is a specific
request from the originator of the message to reply to another address. If
is present we ought not reply to either of the other 2 addresses.
25 Molesworth Street
From: phoffman [SMTP:phoffman(_at_)imc(_dot_)org]
Sent: Tuesday, February 15, 2000 12:01 AM
Subject: Re: Problem for public CAs
At 04:10 PM 2/14/00 -0700, Bob Jueneman wrote:
Instead, in the case of a signed message the From address should be viewed
as secondary, and the certificate contents the primary information.
From a security standpoint, this is right. From a UI standpoint, it might
not be. Assume I have a different email address in my cert than in the
From: header of a message I send you, that your S/MIME client has informed
you of that, and you agreed. Now you want to reply to my message. You
probably don't want to reply to the email address in my cert, but you
might. There are essentially two From vales: the certificate one and the
Of course, we have to face the fact that NEITHER the DN nor the RFC822
may be particularly relevant or informative.
And, no, I'm not proposing a solution here.
--Paul Hoffman, Director
--Internet Mail Consortium