Another comment that I was handling coming out of the Minneapolis meeting was
the need for text describing additional certificate requirements when using
X400WRAP. In considering the options, I think the best bet is add a single
additional section under the existing certificate text to address the use of
subjectAltName in certs, plus the requirements for sending and receiving S/MIME
agents. The required text is brief, and I think can be treated simply as
requirements in addition to the CERT31 spec.
One notable change from the treatment of this for SMTP is that we don't know
for sure that the X.400 content we are protecting will contain an the
originator's address. All the ones I know about do, but I'm trying to avoid
the black hole of trying to specify checking explicitly against every possible
content type. I'm therefore suggesting a more general statement that's
conditional upon the presence of an originator address in the content. I also
recommend we therefore back the matching requirement down from a MUST to a
SHOULD since there are conditions under which it maybe couldn't happen.
The text I propose is shown below. Comments are welcome.
Chris
=====================
Add the following to draft-ietf-smime-x400wrap-04:
4.3. Certificate Name Use for X.400 Content
End-entity certificates used in the context of this draft MAY contain an X.400
address as described in [X.400]. The address must be in the form of an
"ORAddress". The X.400 address SHOULD be in the subjectAltName extension, and
SHOULD NOT be in the subject distinguished name.
Sending agents SHOULD make the originator address in the X.400 content (e.g.,
the "originator" field in P22) match an X.400 address in the signer's
certificate.
Receiving agents MUST recognize X.400 addresses in the subjectAltName field.
Receiving agents SHOULD check that the originator address in the X.400 content
matches an X.400 address in the signer's certificate, if X.400 addresses are
present in the certificate and an originator address is available in the
content. A receiving agent SHOULD provide some explicit alternate processing
of the message if this comparison fails, which may be to display a message that
shows the recipient the addresses in the certificate or other certificate
details.
The subject alternative name extension is used in S/MIME as the preferred means
to convey the X.400 address(es) that correspond to the entity for this
certificate. Any X.400 addresses present MUST be encoded using the x400Address
CHOICE of the GeneralName type. Since the SubjectAltName type is a SEQUENCE OF
GeneralName, multiple X.400 addresses MAY be present.
=====================