ietf-smime
[Top] [All Lists]

Proposed Text for X.400 Certificate Requirements

2002-04-25 10:54:13

  Another comment that I was handling coming out of the Minneapolis meeting was 
the need for text describing additional certificate requirements when using 
X400WRAP.  In considering the options, I think the best bet is add a single 
additional section under the existing certificate text to address the use of 
subjectAltName in certs, plus the requirements for sending and receiving S/MIME 
agents.  The required text is brief, and I think can be treated simply as 
requirements in addition to the CERT31 spec.

  One notable change from the treatment of this for SMTP is that we don't know 
for sure that the X.400 content we are protecting will contain an the 
originator's address.  All the ones I know about do, but I'm trying to avoid 
the black hole of trying to specify checking explicitly against every possible 
content type.  I'm therefore suggesting a more general statement that's 
conditional upon the presence of an originator address in the content.  I also 
recommend we therefore back the matching requirement down from a MUST to a 
SHOULD since there are conditions under which it maybe couldn't happen.

  The text I propose is shown below.  Comments are welcome.

Chris



=====================

Add the following to draft-ietf-smime-x400wrap-04:

4.3. Certificate Name Use for X.400 Content

End-entity certificates used in the context of this draft MAY contain an X.400 
address as described in [X.400].  The address must be in the form of an 
"ORAddress".  The X.400 address SHOULD be in the subjectAltName extension, and 
SHOULD NOT be in the subject distinguished name.

Sending agents SHOULD make the originator address in the X.400 content (e.g., 
the "originator" field in P22) match an X.400 address in the signer's 
certificate. 

Receiving agents MUST recognize X.400 addresses in the subjectAltName field.

Receiving agents SHOULD check that the originator address in the X.400 content 
matches an X.400 address in the signer's certificate, if X.400 addresses are 
present in the certificate and an originator address is available in the 
content.  A receiving agent SHOULD provide some explicit alternate processing 
of the message if this comparison fails, which may be to display a message that 
shows the recipient the addresses in the certificate or other certificate 
details.

The subject alternative name extension is used in S/MIME as the preferred means 
to convey the X.400 address(es) that correspond to the entity for this 
certificate. Any X.400 addresses present MUST be encoded using the x400Address 
CHOICE of the GeneralName type. Since the SubjectAltName type is a SEQUENCE OF 
GeneralName, multiple X.400 addresses MAY be present.

=====================



<Prev in Thread] Current Thread [Next in Thread>
  • Proposed Text for X.400 Certificate Requirements, Bonatti, Chris <=