Re: Adding an email address to a SAN

On 11/14/12 3:34 AM, Melvin Carvalho wrote:
>
> OK, I've managed to create a special cert for email only with the same 
> key.
>
> What should be the EXACT SAN for signing email?
>
> I have:
>
> URI: http://melvincarvalho.com/#me, mailto:melvincarvalho@gmail.com 
> <mailto:melvincarvalho@gmail.com>
>
> But it's still not working yet ...


Why don't you just go to: http://id.myopenlink.net/certgen and do the 
following:

1. generate a certificate
2. see that you can use it send send signed emails.

If you get to that point, compare the certificate produced by the 
service with the one you are trying to generate by hand. That's a 
shortcut to closing this matter.

Note the following re. email clients:

1. they will check to see that the email address imprinted in the cert 
matches what you use when you send mail -- i.e., they will check the 
email account setup
2. they will repeat the check above on receipt of mail -- i.e., that the 
email address imprinted in the cert. matches that of the sender
3. on receipt of mail they will also attempt to verify the issuers 
signature using the issuers public key -- this is where the local CA 
trust chain comes into play .

All of the above provides protection before we then consider following a 
WebID in SAN.

S/MIME is a solid protocol only compromised by the CA network and the 
tedium associated with certificate generation. Like most existing pre. 
Web protocols, it is ultimately a powerful WebID compliment.

-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen