Peter,
You assess that an email certificate-signing request alone is
meaningless. Given the ease in forging unauthenticated mail, I share
this opinion that such a request carries very little identity
assurance. We have set up a certification mail responder
(persona-request(_at_)rsa(_dot_)com) to handle "e-mail only" requests. Our
policy is to automatically certify any certificate-signing request
with the following name structure:
C=US
O=RSA Data Security, Inc.
OU=Persona Certificate
CN=<any name goes here>
The only requirement is that the Common Name attribute be unique among
all other valid Persona certificates. This works OK for such
certificates, as our Low Assurance PCA statement will clearly indicate
that such certificates carry NO identity assurance. For all other
matters, some other form of identification will be required from the
user. Good candidates include signed letters and publicly notarized
application forms.
Cheers,
Steve Dusse
RSA Data Security, Inc.