TOFU certainly seems to work in practice. But this does't address the
question that started this discussion, looking for a new correspondent's
certificate in a key store. If I look for bobsmith@example and it has a cert
BobSmith@example, it's clearly the same person. But if it finds
Bob.Smith@example or Robert.Smith@example or R.W.Smith@example,
The question that started the discussion is the inconsistency of MUAs to match
local-part of a From: address to the local-part of an rfc822Address SANs or
email RDN component
However--An *a priori* search of a key store is a niche case.
First, outside an enterprise there is no global directory, so there's no place
to search anyway. You're much more likely to exchange unsigned emails first.
Second, inside an enterprise context where there *is* a directory, the address
format is often fixed and known and the directory provides additional context
(e.g., department, phone number, etc.) to disambiguate results, so strict
matching standards aren't needed.
ietf-smtp mailing list