Re: [IETF-PKIX] RFC 822 names in SubjectAltName and other extensions

[Paul Hoffman / IMC <paulh@xxxxxxx>]

Steve:

We still disagree here, but unlike in many arguments in PKIX, it is clear
where we disagree. :-)

>Most folks will not read a CPS, especially if it goes into that level of
>detail, and thus what the fine print says will not matter unless one
>litigates a dispute.

But if you don't read the CPS, you have no idea if the non-comment part of
an email address was verified. I could certainly believe that many CAs who
do not do online enrollment (like corporate CAs) will accept as valid any
information typed into them by the human CA administrator at a CA console.
If I walk up to my human administrator and say "here's my common name and
my email address; give me a cert", there's no sensible way for that human
to verify that it is really my email address. I think you are thinking too
much in the Verisign online enrollment model, which is only one way certs
will be generated.

Basically, either someone reads the CPS or they don't. Saying "becasue they
probably won't, this identifier is OK because it *could* be verified" is
very dangerous, IMHO. Either it is verified (and th CPS says so), or it
isn't (and it's not covered in the CPS, or the CPS says "we don't verify
this").

>I argue that we ought to be careful to not foster a situation that unduly
>creates an opportunity for confusion.

I fully agree. And I think pretending that a bare email address is verified
and belongs to the named user is quite an opportunity for confusion.
Remember, comments in an RFC 822 name *can* be verified. Both parts can be
verified, or they can be not verified.

--Paul Hoffman, Director
--Internet Mail Consortium