Re: [IETF-PKIX] RFC 822 names in SubjectAltName and

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

other extensions
X-Sun-Charset: US-ASCII

> From: Mike Smith <mfsmith@zionsbank.com>
>
> I often feel that we are trying to put too much information into the certs and their extensions, so as to make them unworkable.
>
> If we separate the user operations from the "binding", then ancillary information can be added to the directory or database by the certificate holder under signed conditions.  This way, the liability and responsibility for the correctness of the information stays with the person verifying it (the holder).
>
> I posit that any necessary information to be provided to the directory/database by the customer can best be done AFTER the cert is issued and the cert holder has digital signing capability.


This is an excellent argument in favor of including only the delivery
address portion of an RFC822 name in certificates.

In the "normal" case, where the CA does some validation of the address
but no validation of the name, there is no reason to include the name
comment in the certificate.  Mail user agents are free to include
copies of To:/From: headers, including names, in the signed portion of
the message.

As Steve pointed out, if the CA verifies a name, it is possible to
include it in a Common Name.  I side with those who believe that
it is less confusing to always put a common name (if verified by the
CA) into the subject Name field, and include only the address in an
RFC822 name.