On Thu, Mar 10, 2016 at 2:28 AM, John R Levine <johnl(_at_)taugh(_dot_)com>
Agree that the SMTP servers could be a reasonable approach. Others might
be to declare some sort of canonicalization rule or matching regex in the
Enumerating canonicalizations is hopeless for reasons already discussed,
but Regex is an interesting idea, although it quickly takes you back to the
question of what assertion the certificate is making. At this point, the
places signing S/MIME certs just check that the applicant reads mail at the
address in the cert by sending it a link.
Its certainly true that the issuer of a cert using such a regex represented
name matters greatly now. (I wondered about the same issue in another
thread) A third party CA is going to have a much harder time understanding
the local practices, and that represents a spoofing risk, though I suspect
it might be possible to communicate local practices to prevent that. A
workable scenario is that the certificate issuer is the email domain owner
who understands intimately the email local practices.
But what does that mean with a regex? How do you check that the addresses
it matches all map to the same mailbox? Sometimes you can enumerate the
addresses a regex matches (these are all me):
sometimes you can in principle but not in practice:
sometimes you can't even try although you could use heuristics
but how do you allow those but not this one?
ietf-smtp mailing list