[Top] [All Lists]

RE: (Practical) S/MIME certificate chain handling

2003-06-30 02:15:09

-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Julien 
Sent: Monday, June 30, 2003 1:10 AM
To: jimsch(_at_)exmsft(_dot_)com; ietf-smime(_at_)imc(_dot_)org
Subject: Re: (Practical) S/MIME certificate chain handling

So to summarize, I was wondering whether it would be a good idea to
mandate that clients should sent as much info as possible so 
as to help
signature verification, or at least provide the user with the 
option to
do so. Naturally, none of these info should include root 
trust anchors.

I believe that most clients transmit the certificate chain (not
including the root) today.

It's not clear what action we can take that would make life nicer for
everyone -- we already have language in 2632bis:

Sending agents SHOULD include any certificates for the user's public
key(s) and associated issuer certificates. This increases the
likelihood that the intended recipient can establish trust in the
originator's public key(s). This is especially important when sending
a message to recipients that may not have access to the sender's
public key through any other means or when sending a signed message to
a new recipient. The inclusion of certificates in outgoing messages
can be omitted if S/MIME objects are sent within a group of
correspondents that has established access to each other's
certificates by some other means such as a shared directory or manual
certificate distribution. Receiving S/MIME agents SHOULD be able to
handle messages without certificates using a database or directory
lookup scheme.

If there is something I'm missing, please let me know.  This is a SHOULD