At 7:45 AM -0500 3/25/04, Russ Housley wrote:
1. The article gives the impression is that S/MIME is broken, and
this is not the case. I would have been much happier with a title
that conveyed problems with certificate issuing services and the
ramifications of poor identity proofing. S/MIME is not the only
security protocol that will suffer if the identity in a certificate
We disagree that the article gives the impression that S/MIME is
broken. Reading it, I came away with the impression that some S/MIME
implementations are broken. Maybe I've been working with this too
long and I know that S/MIME isn't broken.
2. As far as S/MIME is concerned, the email address is the
identity. X.500 Distinguished Names are not helpful to the S/MIME
application, as there are not any protocol fields that make use of
this form of identity.
Exactly right. The fact that Thawte asks for, and some S/MIME
applications use, it shows a disregard for the standard. They are
blatantly ignoring the SHOULD NOT.
3. The fact that Outlook hides the only form of identity that is
validated is the biggest problem.
Absolutely true, and pretty clear from the article.
Now that a script has been posted, maybe we should put some stronger
language in MSGbis about the user interface.
That would be nice.
--Paul Hoffman, Director
--Internet Mail Consortium