James,
"OE" == Osterweil, Eric <[email protected]> writes:
OE> With PGP, I can use a key with a diff email than the account from
OE> which I send it (for ex, I can use my spam account and rely on my
OE> full name and friends who know me to make the logical leap), do we
OE> all want DANE to outlaw this for S/MIME?
Absolutely not.
There is no value in forcing the sending email address to match the info
in any signature over the message (or over any part of the message).
(With emphasis on /forcing/.)
From an OE perspective, I see your point. Form a general security
perspective,
I disagree. Folks receiving a signed message tend to assume that the "from"
field has been checked against the Subject or SAN in the signer's cert. It's
a reasonable expectation. When that reasonable assumption is not true, users
are surprised, and surprise is a bad outcome wrt security :-).
Steve
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
