-----Original Message-----
From: Russ Housley [mailto:housley(_at_)vigilsec(_dot_)com]
Sent: Tuesday, July 29, 2003 4:36 PM
To: jimsch(_at_)exmsft(_dot_)com; 'Blake Ramsdell';
ietf-smime(_at_)imc(_dot_)org
Subject: RE: RFC2632bis and subjectAltName
I understand that non-email applications of CMS and the
associated MIME
types need other address forms. But, RFC2632bis does not tell an
implementor what to do fir S/MIME (which is an email
application) if the
certificate does not contain an email address.
I'm still not clear whether S/MIME means "secure MIME used anywhere MIME
can be used, such as XMPP or BEEP" or S/MIME means "secure MIME used for
interpersonal email messaging". Depending on the answer, you will get
different answers if it's necessary to clarify any language about the
absence of email addresses in the certificate.
The relevant text about current processing rules seems to be:
Sending agents SHOULD make the address in the From or Sender header in
a mail message match an Internet mail address in the signer's
certificate. Receiving agents MUST check that the address in the From
or Sender header of a mail message matches an Internet mail address,
if present, in the signer's certificate, if mail addresses are present
in the certificate. A receiving agent SHOULD provide some explicit
alternate processing of the message if this comparison fails, which
may be to display a message that shows the recipient the addresses in
the certificate or other certificate details.
So if there are not any email addresses found in the certificate, this
is a mismatch (blank from the certificate doesn't match nonblank from
the From or Sender), and you should go crazy insane and show a hex dump
of the certificate.
We could clarify that "failure" includes the case where there are zero
email addresses in the certificate...
Blake