Re: [IETF-PKIX] RFC 822 names in SubjectAltName and other extensions

[Stephen Kent <kent@xxxxxxx>]

Paul,

I'd like to suggest that we not allow all of these representations of RFC
822 names, despite your obeservation that they are all syntactically
allowed under RFC 822.  My reasoning is that we ought to not confuse the
bounds of what is being certified.  As a CA, I can readily validate a pure
user_name@FQDN syntax, but when someone includes a parenthetical comment,
it makes the verification harder and subject to errors.  A user seeing such
a name is likely to pay more attention to a more human-readable part of the
name, which may not be verified, while software is almost certain to pay
attention to the more tightly constrained synatx that actually supports
addressing of the message.  Thus a mismatch may occur if a secure e-mail
package or IPsec implementation validates based on the more restricted
syntax, but the user thinks in terms of the comment part of the name.  I'd
like to urge more of a WISWYG approach here, even though it means
restricting the syntax to a subset of what can be expressed in 822.

What do others think?

Steve