Regarding the suitability of embedding email addresses in certificates,
would it be fair to say that domains willing to live with permanent email
identities and narrowly defined delivery patterns could have a standardized
means of describing equivalent email addresses?
Hard to say. The PKIX crowd put in case folded addreses without, as
far as I know, asking anyone in the SMTP community whether that's a
good idea. While nobody thinks it's likely that Fred@example,
FRED@example, and fred@example would correspond to different people,
once you get past case folding you quickly run out of popular
techniques, and even case folding is hard in EAI since the folding
rules are specific to each language.
My advice would be that if you're signing mail with S/MIME or PGP,
take the form of the address you use in your From: line and put that
in the certificate. If you want to look up certificates, do something
like draft-bhjl-x509-srv rather than a system that depends on
client-side canonicalization.
R's,
John
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp