On Feb 17, 2005, at 11:05 AM, Stefan Santesson wrote:
Would it be sufficient to say that the SMIMECapabilities extension
SHOULD only be included in certificates that support S/MIME encryption?
Why be so restrictive? Why not just point out that it makes sense to
include this
extension in certificates than can be used for encryption; it doesn't
make sense
to include it in certificates constrained to signing operations, and
leave it at that?
I don't see any reason for MUST or SHOULDs here.
You can mention that inclusion of the SMIMECapabilities extension in a
place
where it doesn't make sense is to be handled gracefully; e.g. you
ignore it; you
don't use it as an excuse to reject the certificate.
http://www.imc.org/ietf-smime/mail-archive/msg02112.html
In the above message, the suggestion is made that precedence be
determined
by who is more trustworthy. I think it should be determined by who is
more
knowledgeable. It's the sender of a message that has more current
knowledge
of cryptographic capabilities of her equipment or cryptographic tokens
and has
more knowledge about where replies to the message will be delivered and
the
cryptographic capabilities that exist there. Ergo, the
SMIMECapabilities in the
message should take precedence if there's a conflict.
Eric Norman
University of Wisconsin -- DoIT