[Top] [All Lists]

Re: [ietf-smtp] [pkix] key identities, why you shouldn't even try to canonicalize local parts

2016-03-22 11:18:52
It's more practical to treat the key as the relevant identity, since only
the key holder can read the email irrespective of email address.

For encrypted mail, this is clearly right. For signed mail, it's not unreasonable but it's also less clear. The whole issue of binding real world identities to e-mail addresses is a swamp, not one that I think we are any better at draining than anyone else. For PGP, there's the web of trust which is supposed to help you decide whether a key matches a person, but doesn't really say anything about the e-mail addresses attached to the key. For S/MIME the CA does what it does, which these days is rarely any more than a challenge message to the e-mail address.

So I mostly agree with you, with the caveat that you have to be careful not to misinterpret assurances about an e-mail address as assurances about the person or entity allegedly associated with that address.

John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>