Problem for public CAs

["Graham Laws" <lawsg@xxxxxxxxxxxxxxxxxxx>]

For public CAs, particularly in Europe, the requirement to place an email
address in the subjectAltname extension of each x.509 public key certificate
in order to enable S/MIME is a big problem.

Firstly, all such certificates must reside in a public Directory. Any
determined spammer is going to be able to easily create an immense spam list
from the Directory's entire certificate population, using a few LDAP calls
and an ASN.1 decoder. Our customers are already nervous at the prospect of
this, and for potential customers it may be a significant bar to take-up.

Secondly, the European Privacy Directive looks very unfavourably upon
real-world identities being in any way expressed both in the Subject and
SubjectAltName attributes of the public key certificate. This would appear
to rule out S/MIME for those whose names are embedded in their email
addresses, e.g.  graham.laws@xxxxxxxxxxxxxxxx

The issues raised by the second point are relatively easy to circumvent. Use
pseudonymous names for the Subject, and insist on a pseudonymous email
address if S/MIME is required.

But the first point about the ease with which spam lists can be created is a
real worrier. I have looked through previous threads, including the one
entitled "Mail addresses in S/MIME certs", but I can't find where these
specific issues have been discussed before.

Comments/discussion via this forum welcome.

Best Regards
Graham Laws

______________________________________________
Graham Laws
PKI Systems Technical Consultant
Royal Mail ViaCode	Phone : 	+44 (0)1246-293761
Block A, 1st Floor	Postline : 5453-3761
St. Mary's Court		Fax : 	+44 (0)1246-293751
St. Mary's Gate
Chesterfield
S41 7TD

Public Key Validation String : MXZQ-7MM5-9A58