Agree that the SMTP servers could be a reasonable approach. Others might
be to declare some sort of canonicalization rule or matching regex in the
cert.
Enumerating canonicalizations is hopeless for reasons already discussed,
but Regex is an interesting idea, although it quickly takes you back to the
question of what assertion the certificate is making. At this point, the
places signing S/MIME certs just check that the applicant reads mail at
the address in the cert by sending it a link. But what does that mean
with a regex? How do you check that the addresses it matches all
map to the same mailbox? Sometimes you can enumerate the addresses a
regex matches (these are all me):
(hostmaster|johnl?)@(iecc|taugh)\.com
sometimes you can in principle but not in practice:
[Jj]\.?[Oo]\.?[Hh]\.?[Nn]\.?[Ll]\.[Ee]\.?[Vv]\.?[Ii]\.?[Nn]\.?[Ee]\.?@gmail\.com
sometimes you can't even try although you could use heuristics
(johnl?-[^@]+@iecc|[^@]+@johnlevine)\.com
but how do you allow those but not this one?
(hostmaster|johnl?)@(iecc|taugh|paypal)\.com
R's,
John
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp