Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA22492 for ; Tue, 28 Oct 2003 23:12:14 -0500 (EST) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id h9T3SWI7021283 for ; Tue, 28 Oct 2003 19:28:32 -0800 (PST) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id h9T3SWsI021282 for ietf-smime-bks; Tue, 28 Oct 2003 19:28:32 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.10/8.12.8) with ESMTP id h9T3SSI7021276 for ; Tue, 28 Oct 2003 19:28:31 -0800 (PST) (envelope-from pgut001@cs.auckland.ac.nz) Received: from cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by hermes.cs.auckland.ac.nz (8.12.9-20030924/8.12.9) with ESMTP id h9T3Rto9008180; Wed, 29 Oct 2003 16:27:55 +1300 Received: (from pgut001@localhost) by cs.auckland.ac.nz (8.11.6/8.11.6) id h9T3UAo08690; Wed, 29 Oct 2003 16:30:10 +1300 Date: Wed, 29 Oct 2003 16:30:10 +1300 Message-Id: <200310290330.h9T3UAo08690@cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: blake@brutesquadlabs.com, jimsch@exmsft.com, pgut001@cs.auckland.ac.nz Subject: RE: Request change in son-of-rfc2633 Cc: ietf-smime@imc.org Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: "Blake Ramsdell" writes: >"When looking up certificates using the subjectKeyIdentifier field, S/MIME >agents MUST be prepared to handle multiple certificates that have the same >subjectKeyIdentifier value gracefully." That won't work if you only find the wrong cert using the sKID. That is, there are two certs with the given sKID, you get a perfect match on the one that you can locate, but it's the wrong one. The real problem here is that by building a spaghetti PKI (one that violates the original X.509 design) you're subjecting yourself to a world of pain that no amount of text in a standard can resolve. So the only practical solution would be to include a warning to say that everything works as required with a conventional PKI, but all bets are off once you're in a spaghetti PKI scenario, because the design was never intended to be used like that. Might I suggest: "The behaviour of S/MIME agents in a spaghetti PKI scenario is a ecumen^H^H^H^Hpolicy matter". Peter.