[Top] [All Lists]

Re: I-D ACTION:draft-ietf-smime-certcapa-02.txt

2005-02-17 12:22:59

On Feb 17, 2005, at 11:05 AM, Stefan Santesson wrote:

Would it be sufficient to say that the SMIMECapabilities extension
SHOULD only be included in certificates that support S/MIME encryption?

Why be so restrictive? Why not just point out that it makes sense to include this extension in certificates than can be used for encryption; it doesn't make sense to include it in certificates constrained to signing operations, and leave it at that?
I don't see any reason for MUST or SHOULDs here.

You can mention that inclusion of the SMIMECapabilities extension in a place where it doesn't make sense is to be handled gracefully; e.g. you ignore it; you
don't use it as an excuse to reject the certificate.

In the above message, the suggestion is made that precedence be determined by who is more trustworthy. I think it should be determined by who is more knowledgeable. It's the sender of a message that has more current knowledge of cryptographic capabilities of her equipment or cryptographic tokens and has more knowledge about where replies to the message will be delivered and the cryptographic capabilities that exist there. Ergo, the SMIMECapabilities in the
message should take precedence if there's a conflict.

Eric Norman
University of Wisconsin -- DoIT