Michael Ströder wrote:
- add a time-stamp and update the S/MIME capabilities and timestamp whenever a new S/MIME message is received. - use the cert extension solely when no signed S/MIME message was received so far or the notBefore date of the e-mail cert is newer than the timestamp of the last S/MIME caps stored.
I 100% agree with that, use a time-stamp, and when using the cert extension, set the time-stamp value to the issuance date.
Still this assumes that the issuing CA really knows about the correct S/MIME caps which could be true for corporate CAs issuing e-mail certs for a well-defined set of MUAs.
This would be a defect correction for RFC 4262, only use this extension in those condition, or if you have properly evaluated it's consequences. But the client can do no better than assume the cert issuer knew what it's doing.
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
