Not exactly right.
There is a difference between an RFC822 address as a user identity
and an RFC822 address as routing information to enable message
delivery. If I have a certificate identifying me as
dpkemp(_at_)missi(_dot_)ncsc(_dot_)mil, then S/MIME user agents should display
my identity without rejecting, or even whining, if I send a signed
message from my hotmail account. And S/MIME user agents should
allow me to encrypt a message to Paul using his imc.org certificate,
but address it to Paul's hotmail account, without rejection or
whining.
Using a different syntax for subject names and email addresses makes
this distinction obvious and would force user agents to operate
correctly. Using the same RFC822 syntax for both subject names and
email addresses leads to confusion between a user's single identity
and that user's multiple mailboxes.
Mismatch between an identity in a certificate and an unauthenticated
address in a message header is NOT a security vulnerability.
Displaying an unauthenticated message header as if it were an
authenticated identity IS a vulnerability. Blurring this distinction
by saying "the email address is the identity" is wrong, even if it
is written down in black and white in the RFCs.
Dave
Paul Hoffman / IMC wrote:
2. As far as S/MIME is concerned, the email address is the identity.
X.500 Distinguished Names are not helpful to the S/MIME application,
as there are not any protocol fields that make use of this form of
identity.
Exactly right. The fact that Thawte asks for, and some S/MIME
applications use, it shows a disregard for the standard. They are
blatantly ignoring the SHOULD NOT.