When users (e.g. email@example.com) import a valid S/MIME certificate into their ID file, this enables them to send signed email. Usually the imported certificate will be set as their default signing certificate. The email listed in the certificate matches the users email used in their personal mailbox listed in the Domino Directory. Fine so far.
However, if users utilize the supported Team Mailbox functionality, they usually use a separate mailbox to send e.g. email with a different email address e.g. firstname.lastname@example.org. If they tick the sign checkbox in the team mailbox, they get a mismatch warning because email@example.com is different from firstname.lastname@example.org.
If these users import a S/MIME certificate for email@example.com, let's call that the group or team certificate, they have to designate either firstname.lastname@example.org or email@example.com to be their default signing certificate. They can not use both certificates simultaneously to either sign one or the other email address they are using.
I'd like to suggest that the Notes client selects the certificate from the ID file (ID vaulted) from the list of certificates in the ID file automatically if:
the certificate is valid (as it does now for the default case)
the email address in the certificate matches the team mailbox assigned address
The idea here is that users can use different mailboxes without a cumbersome switching of the default signing certificate. If this functionality is added, users can send signed email (to fight phishing) regardless of the mailbox they are using seemlessly.
Currently users have to decide which mailbox should be used for signing as only one default signing certificate can be used now.
ID switching is not an option from the usability point of view
adding the firstname.lastname@example.org to the default certificate is not an option