OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-cppa message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [ebxml-cppa] SMTP Needs "to" and "from" e-mail addresses

   Date: Thu, 03 Jan 2002 11:16:48 -0700
   From: Dale Moberg <dmoberg@cyclonecommerce.com>

   The security point (not universally agreed
   upon as far as I can tell) is that it would be
   best if a "From" address agree with the
   email address in the signer's certificate.

If the signer's certificate even contains an email address at all.

I looked into this recently and found that the official standards for
certificates seem to be somewhat ahead of what people are really
using.  For example, when you form an HTTPS connection to a commercial
Web server, your browser wants to check that the DNS address that you
think you're talking to matches the certificate.

So where in the certificate do you find the DNS name?  The standards
say that it's supposed to be in the subjectAltName extension with the
DNSName form of name.  But in real life, nobody seems to be using
subjectAltName at all.  Instead, they use a DN whose first AVA is
"cn=www.foobar.com".  Using "cn" for the DNS name isn't part of any
official standard, as far as I know, but just seems to be an informal
convention that the real software all knows about.

The analogous question arises: where in a certificate do you find an
email address?  (The certificates that the HTTPS web sites use don't
have email addresses in them; presumably one obtains a different
certificate to represent an email identity.)  The standards say that
there is the emailAddress value of the subjectAltName extension, and I
think that's what one is "officially" suppose to use.  But I don't
know what's used in practice.  In fact, I'm so out of it that I don't
even know to what extent there is a real "practice" out there using
email secured with X.509 certificates.

It seems to me that if we're going to tell implementors that they
should compare email addresses with values found in certificates, we
ought to specify exactly where in the certificate they should look.
If there's a conflict between the de jure standards and the de facto
practice, we ought to address that.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC