On Tue, 15 Mar 1994, Jeff Thompson wrote:
The Persona responder requires exactly one extra attribute, which must
be a common name, beyond the OU=Persona Certificate. This is to
prevent people from trying to stick in organization attributes that
make it look (to unwitting users) that they work for that
organization.
Reasonable I suppose. Would it be possible to at least allow the RM
attribute so that the e-mail address can be embedded in RSA's persona
certificates? If you're paranoid, you could automatically bounce
something with an RM attribute that doesn't match the From: or Reply-To:
lines. They're just as easy to forge of course, but it may help a bit.
Well, now that you mention it, we're working on a sibling service to
the Persona responder which takes an email address in the DN to be
certified. Similar to the Persona responder which adds one common
name attribute, this requires one email attribute to make a DN like:
C=US
O=RSA Data Security, Inc.
OU=Email Certificate
Email=jefft(_at_)rsa(_dot_)com
It performs a challenge-response with that email address to prove
that messages come and go from that address. Details to follow in a
formal definition.
Hey: We need an object identifier for the email attribute. Is there
there consensus on what to use, or should we require the emailAddress
(IA5String) defined by PKCS #9?
- Jeff