Robert;
Let me start with two sentences in your answer:
"Unfortunately the one to one mapping of email address to certificate is
built into our database format. Getting basic S/MIME working is the
immediate goal."
And in a year or so it will be " We can't make it more flexible, too much code
depends upon this API and structure."
The reason I bring this up is that while standards and RFC' s are great (so many to
choose from) it is the early implementations that define the 'practice'. And
'practice' takes pecedence over 'policy'! The X.509 allowes multiple subjetAltName
extensions, which means multiple e-mail addresses, Why not the address book?
Is it the marketing push , "Get it to market now, make it work later"? But I flame....
Anyway, on to the specifics....
Robert Relyea wrote:
>
>
> Victor Probo wrote:
>
>> I am asking what Mozilla will consider as a valid signature, and how it will
>> respond. (please ignore spelling errors, we all know why) Start with the
>> assumption that you have a validly structured X.509v3 certificate signed by
>> an acceptable CA.
>
>
>
> Here's what communicator 4.x does today (for reference):
>
> If the email check fails, the signature is labelled invalid. The email address in
> the cert must match the from line of the e-mail.
Unfortunatly this is spoofable, but probably nothing better.
> e-mail addresses and certificates match one for one. That is one certificate
> (actually one set of certificates matched by subject) match
? 'subject' = CN or DN?
All certs in a set must have same email?
> one for one to email address. Communicator can not handle more than one certificate
> (subject)* per email address, nor can it handle multiple email addresses for
> pointing to the same certificate (subject)
