At 8:11 AM -0800 11/2/01, Michael Helm wrote:
Once upon a time , email addresses, especially "internet" or
rfc822 addresses, were a common component in X.509 subject names.
But a few years ago they became a deprecated component in PKIX
(RFC 2459 sec 4.1.2.6) and S/MIME v3. Both of these have
language like this in their respective RFC's:
The email address SHOULD be in
the subjectAltName [X.509v3] extension, and SHOULD NOT be in the subject
distinguished name.
[RFC 2632 sec 3]
Could someone explain why this happened? I remember the process
at the time... but vaguely. Looking thru old notes & the mail
archives &c led me to a couple of possible explanations:
Mike,
An e-mail address makes for a good name, but it has its own type, as
an alt subject name. An e-mail address is not an appropriate RDN,
i.e., people do not construct directory schema in which an e-mail
address is a qualifier for a person's directory entry. the e-mail
address is an OK directory attribute, but just not an appropriate
component of a DN. The convention that arose for embedding an e-mail
address in a DN was a short-term fix that has unfortunate
implications when considered in a larger context. Thus the PKIX
standards deprecate it.
Steve