[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [ebxml-cppa] SMTP Needs "to" and "from" e-mail addresses
Date: Thu, 03 Jan 2002 11:16:48 -0700 From: Dale Moberg <dmoberg@cyclonecommerce.com> The security point (not universally agreed upon as far as I can tell) is that it would be best if a "From" address agree with the email address in the signer's certificate. If the signer's certificate even contains an email address at all. I looked into this recently and found that the official standards for certificates seem to be somewhat ahead of what people are really using. For example, when you form an HTTPS connection to a commercial Web server, your browser wants to check that the DNS address that you think you're talking to matches the certificate. So where in the certificate do you find the DNS name? The standards say that it's supposed to be in the subjectAltName extension with the DNSName form of name. But in real life, nobody seems to be using subjectAltName at all. Instead, they use a DN whose first AVA is "cn=www.foobar.com". Using "cn" for the DNS name isn't part of any official standard, as far as I know, but just seems to be an informal convention that the real software all knows about. The analogous question arises: where in a certificate do you find an email address? (The certificates that the HTTPS web sites use don't have email addresses in them; presumably one obtains a different certificate to represent an email identity.) The standards say that there is the emailAddress value of the subjectAltName extension, and I think that's what one is "officially" suppose to use. But I don't know what's used in practice. In fact, I'm so out of it that I don't even know to what extent there is a real "practice" out there using email secured with X.509 certificates. It seems to me that if we're going to tell implementors that they should compare email addresses with values found in certificates, we ought to specify exactly where in the certificate they should look. If there's a conflict between the de jure standards and the de facto practice, we ought to address that.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC