[Novalug] OT: S/MIME certificate protocol
rich.goodwin at cox.net
Sun Jan 18 21:25:39 EST 2009
Certificates can have multiple email addresses associated with them. It
sounds like you did not add one (I want to say it is subjectAltName).
PGP/GPG support this as well.
Proper processing is that the names need to match - your email address
must match what is in the certificate. Some mail clients (ahem ... M$)
will allow the client to override this. I don't understand why since
this means you are accepting an untrusted matching in identities ...
Can you add more emails to the cert? I don't recall if CACERT will ...
using PGP/GPG keys, you can. After doing so though, you need to get
folks to attest this is you. You may simply want to obtain a "new"
CACERT with all the appropriate emails.
On Sun, 2009-01-18 at 18:50 -0500, Bud Roth wrote:
> On a separate mailing list, I received an email from a neighbor warning
> me that their email client was rejecting my emails as suspicious because
> the email address associated with my S/MIME certificate was not the same
> as the one that I was using to send email. (The S/MIME cert contains
> some identifying information, including an email address used to create
> my CACert account.)
> Like a lot of people, I have a couple "junk" emails for mailing lists
> and the like. I don't like having umpteen certificates and gpg
> signatures, so I tend to associate multiple emails with each. Nobody
> has ever complained about using multiple emails with one gpg signature,
> so I assumed the same protocol applied to S/MIME certificates. After
> all, a signature really only means that all signed documents (email or
> otherwise) originated from the same person. I've identified myself to
> two CACERT verifiers, so my S/MIME certificate does provide pretty solid
> proof that all signed emails originate from me. Although I could create
> a number of CACERT certs for various emails, my preference would be to
> keep it to one.
> Does anyone know if their is a protocol that the email cert be used only
> by the email used to register the account with which I created the
> S/MIME certificate or does my neighbor have an email client that
> misinterprets the cert's meaning? Comments would be appreciated.
> Bud Roth
> Novalug mailing list
> Novalug at calypso.tux.org
Remember, all Windows machines are, by definition, fault tolerant.
They run Windows don't they!!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5223 bytes
Desc: not available
Url : http://calypso.tux.org/pipermail/novalug/attachments/20090118/d57ea0e1/attachment.bin
More information about the Novalug