[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem for public CAs

To: ietf-smime@xxxxxxx
Subject: Re: Problem for public CAs
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Mon, 7 Feb 2000 13:36:16 -0500 (EST)
List-archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-id: <ietf-smime.imc.org>
List-unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Reply-to: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Sender: owner-ietf-smime@xxxxxxx

Graham,

The problem with requiring email addresses in certificates (assuming
the address is examined by Mail User Agents) is much more basic:  the
identity certified by a CA has in principle nothing to do with where
email is sent from or delivered to.  Regardless of whether I want my
Certified Net Nym to be "Dave Kemp" or "dpkemp@xxxxxxxxxxxxxx", I
should be able to send and receive S/MIME messages using any address,
including "dave@xxxxxxxxxxxxxxxxx" and "12345@xxxxxxxxxxxxxx", without
having to know in advance where I might be or who I'll be using for
an ISP.

The concept that Identification and Authentication should be independent
of transport addressing seems not to have gained traction last time
around, for some unfathomable reason.  Perhaps the spam and privacy
arguments will resonate more effectively with readers of this list.

Good luck.

Dave



> From: "Graham Laws" <lawsg@xxxxxxxxxxxxxxxxxxx>
> To: "'SMIME IETF'" <ietf-smime@xxxxxxx>
> Subject: Problem for public CAs
> Date: Mon, 7 Feb 2000 14:24:16 -0000
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
> Importance: Normal
> List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
> List-ID: <ietf-smime.imc.org>
> List-Unsubscribe: <mailto:ietf-smime-request@xxxxxxx?body=unsubscribe>
> 
> For public CAs, particularly in Europe, the requirement to place an email
> address in the subjectAltname extension of each x.509 public key certificate
> in order to enable S/MIME is a big problem.
> 
> Firstly, all such certificates must reside in a public Directory. Any
> determined spammer is going to be able to easily create an immense spam list
> from the Directory's entire certificate population, using a few LDAP calls
> and an ASN.1 decoder. Our customers are already nervous at the prospect of
> this, and for potential customers it may be a significant bar to take-up.
> 
> Secondly, the European Privacy Directive looks very unfavourably upon
> real-world identities being in any way expressed both in the Subject and
> SubjectAltName attributes of the public key certificate. This would appear
> to rule out S/MIME for those whose names are embedded in their email
> addresses, e.g.  graham.laws@xxxxxxxxxxxxxxxx
> 
> The issues raised by the second point are relatively easy to circumvent. Use
> pseudonymous names for the Subject, and insist on a pseudonymous email
> address if S/MIME is required.
> 
> But the first point about the ease with which spam lists can be created is a
> real worrier. I have looked through previous threads, including the one
> entitled "Mail addresses in S/MIME certs", but I can't find where these
> specific issues have been discussed before.
> 
> Comments/discussion via this forum welcome.
> 
> Best Regards
> Graham Laws
> 
> ______________________________________________
> Graham Laws
> PKI Systems Technical Consultant
> Royal Mail ViaCode	Phone : 	+44 (0)1246-293761
> Block A, 1st Floor	Postline : 5453-3761
> St. Mary's Court		Fax : 	+44 (0)1246-293751
> St. Mary's Gate
> Chesterfield
> S41 7TD
> 
> Public Key Validation String : MXZQ-7MM5-9A58
> 
>

Prev by Date: Re: Problem for public CAs
Next by Date: RE: Problem for public CAs
Previous by thread: Re: Problem for public CAs
Next by thread: RE: Problem for public CAs
Index(es):
- Date
- Thread