Hiya > So, sign these three things with different CAs. We do. But I know at least one implementation from a major vendor that assumes the same CA across users, routers and firewalls. Strange but true. > Better yet, attach attribute authority or SPKI certs to the plain > certificate. Whoa. Who's implemented attribute authority? And who's implemented SPKI? I've no problem with alternatives like these, but I think EVERYONE does ExtendedKeyUsage (or can do trivially) and subjectAltName, so the solution should lie there. Do the majority of implementations out there today match the dNSName or iPAddress in a cert's subjectAltName against the ipaddress they are exchanging packets with? -- Mark Shuttleworth Thawte
S/MIME Cryptographic Signature