[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [ebxml-cppa] SMTP Needs "to" and "from" e-mail addresses
Dan, For SMIME, the following OID is normally used for the email address attribute: e-mailAddress OBJECT IDENTIFIER ::= {iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1} This practice was documented in the SMIME implementation guide-- you can pull a copy down from http://lib.ua.ac.be/ibw/PDF/smimeimp.pdf I expect the conventions for xmldsig certificate usage to follow what is done for smime, but those usage conventions are only now emerging. You may find it useful to look at the RSA (www.rsa.com) smime resources to find background documents like PKCS6 and extended attribute discussions. Notice that this email attribute is not under the X.500 name fields (see www.alvestrand.no for a good online index of OIDs and some text discussion) Most of the problem I discussed was discussed at length on several occasions in several forums. The smime archive for the ietf wg could be searched and I bet it is there somewhere. probably at www.imc.org or a pointer to it somewhere in that vicinity. Feel free to email me if you need some more pointers. There is a large and diffuse bunch of information involved. Dale -----Original Message----- From: Dan Weinreb [mailto:dlw@exceloncorp.com] Sent: Thursday, January 03, 2002 12:01 PM To: Dale Moberg Cc: mwsachs@us.ibm.com; firefly@us.ibm.com; ebxml-cppa@lists.oasis-open.org Subject: Re: [ebxml-cppa] SMTP Needs "to" and "from" e-mail addresses Date: Thu, 03 Jan 2002 11:16:48 -0700 From: Dale Moberg <dmoberg@cyclonecommerce.com> The security point (not universally agreed upon as far as I can tell) is that it would be best if a "From" address agree with the email address in the signer's certificate. If the signer's certificate even contains an email address at all. I looked into this recently and found that the official standards for certificates seem to be somewhat ahead of what people are really using. For example, when you form an HTTPS connection to a commercial Web server, your browser wants to check that the DNS address that you think you're talking to matches the certificate. So where in the certificate do you find the DNS name? The standards say that it's supposed to be in the subjectAltName extension with the DNSName form of name. But in real life, nobody seems to be using subjectAltName at all. Instead, they use a DN whose first AVA is "cn=www.foobar.com". Using "cn" for the DNS name isn't part of any official standard, as far as I know, but just seems to be an informal convention that the real software all knows about. The analogous question arises: where in a certificate do you find an email address? (The certificates that the HTTPS web sites use don't have email addresses in them; presumably one obtains a different certificate to represent an email identity.) The standards say that there is the emailAddress value of the subjectAltName extension, and I think that's what one is "officially" suppose to use. But I don't know what's used in practice. In fact, I'm so out of it that I don't even know to what extent there is a real "practice" out there using email secured with X.509 certificates. It seems to me that if we're going to tell implementors that they should compare email addresses with values found in certificates, we ought to specify exactly where in the certificate they should look. If there's a conflict between the de jure standards and the de facto practice, we ought to address that.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC