"Blake Ramsdell" <blake(_at_)brutesquadlabs(_dot_)com> writes:
"When looking up certificates using the subjectKeyIdentifier field, S/MIME
agents MUST be prepared to handle multiple certificates that have the same
subjectKeyIdentifier value gracefully."
That won't work if you only find the wrong cert using the sKID. That is,
there are two certs with the given sKID, you get a perfect match on the one
that you can locate, but it's the wrong one.
The real problem here is that by building a spaghetti PKI (one that violates
the original X.509 design) you're subjecting yourself to a world of pain that
no amount of text in a standard can resolve. So the only practical solution
would be to include a warning to say that everything works as required with a
conventional PKI, but all bets are off once you're in a spaghetti PKI
scenario, because the design was never intended to be used like that. Might I
suggest:
"The behaviour of S/MIME agents in a spaghetti PKI scenario is a
ecumen^H^H^H^Hpolicy matter".
Peter.