[Tickets #3498] PGP and message verification
bugs@bugs.horde.org
bugs at bugs.horde.org
Fri Feb 17 04:23:49 PST 2006
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=3498
-----------------------------------------------------------------------
Ticket | 3498
Updated By | harakiri_23 at yahoo.com
Summary | PGP and message verification
Queue | IMP
Version | HEAD
State | Unconfirmed
Priority | 1. Low
Type | Bug
Owners |
-----------------------------------------------------------------------
harakiri_23 at yahoo.com (2006-02-17 04:23) wrote:
> If I get a PGP signed message where the sender or from address is not
> the one or one to wich the sinature belongs, IMP still tells me "The
> message has been verified."
> Shouldn't it complain that the from address does not match the signature?
No it shouldnt - actually its more a philosopical question then a security
question.
I give you SMIME for example, SMIME v2 said - email and certificate email
must match. SMIME v3 says, its no longer required.
The big plus for PGP was always that you are not bound to the certificate
email address (for encrypting i.e.)
To return to your original question - lets assume you have a group account
with multiple members but only the pgp signing key for the group itself
(lets say support) do you think that the signature is invalid just because
it was send by joe average from the support group ? No. generally speaking -
everyone who has the secret key is normally authorized to sign a message no
matter which email address he uses
More information about the bugs
mailing list