[Novalug] OT: S/MIME certificate protocol

Rich Goodwin rich.goodwin@cox.net
Sun Jan 18 21:25:39 EST 2009


Certificates can have multiple email addresses associated with them.  It
sounds like you did not add one (I want to say it is subjectAltName).
PGP/GPG support this as well.  

Proper processing is that the names need to match - your email address
must match what is in the certificate.  Some mail clients (ahem ... M$)
will allow the client to override this.  I don't understand why since
this means you are accepting an untrusted matching in identities ...

Can you add more emails to the cert?  I don't recall if CACERT will ...
using PGP/GPG keys, you can. After doing so though, you need to get
folks to attest this is you.  You may simply want to obtain a "new"
CACERT with all the appropriate emails. 

Rich

On Sun, 2009-01-18 at 18:50 -0500, Bud Roth wrote:
> On a separate mailing list, I received an email from a neighbor warning
> me that their email client was rejecting my emails as suspicious because
> the email address associated with my S/MIME certificate was not the same
> as the one that I was using to send email.  (The S/MIME cert contains
> some identifying information, including an email address used to create
> my CACert account.)
> 
> Like a lot of people, I have a couple "junk" emails for mailing lists
> and the like.  I don't like having umpteen certificates and gpg
> signatures, so I tend to associate multiple emails with each.  Nobody
> has ever complained about using multiple emails with one gpg signature,
> so I assumed the same protocol applied to S/MIME certificates.  After
> all, a signature really only means that all signed documents (email or
> otherwise) originated from the same person.  I've identified myself to
> two CACERT verifiers, so my S/MIME certificate does provide pretty solid
> proof that all signed emails originate from me.  Although I could create
> a number of CACERT certs for various emails, my preference would be to
> keep it to one.  
> 
> Does anyone know if their is a protocol that the email cert be used only
> by the email used to register the account with which I created the
> S/MIME certificate or does my neighbor have an email client that
> misinterprets the cert's meaning?  Comments would be appreciated.
> 
> Regards,
> 
> Bud Roth
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
-- 


Remember, all Windows machines are, by definition, fault tolerant.

              They run Windows don't they!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5223 bytes
Desc: not available
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20090118/d57ea0e1/attachment.bin>


More information about the Novalug mailing list