On 22.03.11 21:00, Robert Relyea wrote:
On 03/22/2011 02:23 AM, silent...@gmail.com wrote:
<...> the requirement is to allow having more than one <...> email provider
AFTER the card was issued.
<...>
Unless there is an authoritative way to bind the cert to a given email address,
there is no way to use those certs for email. If you want email certs to
interoperate with people from outside of the infrastructure, the only way is to
put the email address in the certificate. Otherwise you are completely loosing
any value for signed and encrypted email.
I disagree with you.
As for me, I will be completely happy, if your message will be signed by
certificate, asserting that you are just 'Robert Relyea', without asserting
email address.
And what is more important, your exact email address, claimed in the email
headers, is the last thing I will care of. What's the difference, do you use
this email or that ?
The worst that can happen if adversary forges your 'reply-to' address, is that
my reply will not reach you. This doesn't break confidentiality, because, if I
encrypt, I encrypt by 'Robert Relyea's cert.
Keep well,
Konstantin
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
