Well, the reasons are at least obvious to us :) - the card is supposed to be in use for least 5 years. Card owners (Health Care Providers in our case) should be able to use various email providers for exchanging medical reports. The email providers will be not gmail or yahoo, of course, but still the requirement is to allow having more than one as well to provide possibility to register or switch the email provider AFTER the card was issued. And in general, as electronic IDs are spreading (at least in Europe) this becoming quite a relevant scenario.
Concerning compliance with S/MIME 3.0 and 3.1 - the sentence "Receiving agents MUST recognize and accept certificates that contain no email address" resides in versions 3.0, 3.1 and 3.2 of S/MIME Certificate Handling RFCs. Thunderbird is compliant with all of them - it recognizes certificates without an email address when decrypting an email or validating its signature. It even allows signing using such a certificate (though gives a warning when email address is missing in the signing certificate, what already poses a problem for us - doctors are easy to scare :) ). But as I said, encrypting emails with such a certificates is not working. I've checked the NSS code - as you say, the retrieval of certificates from the certificate database is based on the email address. That seems to me as an inconsistent behavior - signature verification and decryption are working and only encryption is not. I think, being able to support encryption or having an option that enables or disables verification of email addresses in certificates would make sense. Best regards, Sergei Evdokimov On Mar 21, 5:54 am, Nelson B Bolyard <nel...@bolyard.me> wrote: > On 2011/03/17 02:41 PDT, silent...@gmail.com wrote: > > > It seems that Thunderbird refuses to use X.509 certificates for S/MIME > > encryption when these certificates do not contain email address of the > > subject. We want to use S/MIME with keys stored on smart cards and > > certificates distributed via LDAP. For obvious reasons we cannot > > attach certificates to fixed email addresses. > > Obvious? Not at all. Why not? > > > The RFC 3850 describing certificate handling in S/MIME 3.1 (or 2632 > > for version 3) states that "Receiving agents MUST recognize and accept > > certificates that contain no email address". And indeed, Thunderbird > > is able to verify a signature or decrypt an email if certificates with > > no email addresses were used (though it gives a warning when verifying > > a signature). It can also use a certificate without an email address > > for signing emails. However, it fails when I'm trying to encrypt an > > email. The encryption certificates without an email address can > > neither be explicitly imported via Certificate Manager nor loaded from > > the LDAP. > > NSS does not claim compliance with S/MIME 3.1, but only with 3.0. > > > Microsoft Outlook has similar issues, but after some registry tweaking > > it can be enabled to use such certificates (http:// > > support.microsoft.com/kb/276597). Is there is a way to make > > Thunderbird accept such certificates too? > > NSS's cert database is capable of storing email encryption certs that lack > any email address, indexed by en email address not found in the cert itself. > Thunderbird does not use that facility to enter certs into that DB. You can > do it manually using NSS's (not Microsoft's) command line tool "certutil". > But this is probably not the answer you seek. > > > > > Best regards, > > Sergei Evdokimov > > -- > 123456789012345678901234567890123456789012345678901234567890123456789012345 > 67890 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
