A simple Internet e-mail address could be a perfectly fine DN, and could be
to look up all of the rest of the junk, even if someone wants to send a FAX
or
a Telex, or an X.121 message to you. Some of this information, and
probably a lot more besides, would be useful to stick into a certificate
for the purose of validating digitally signed and archived messages for
nonrepudiation, but insisting on too close a correspondence between the
information in the certificate and the X.400 address is probably a mistake.
I just went to my Mac and used DigiSign (in AOCE) to generate a new
DN and keypair. It let me use my email address as the common name,
and the other attributes were for the company. I think people may
do this a lot: create a name like /C=US/O=RSA/CN=jefft(_at_)rsa(_dot_)com .
Is this a violation? And if not, is this a good solution, letting
people use email addresses which the mailer will catch, as well
as comforming to subordination rules?
(I'm not so much proposing a new method as I am forwarning that people
will make names like this.)
- Jeff