[imp] S/MIME IMP doesn't verify sender email?

Jan Schneider jan at horde.org
Sun Nov 9 09:18:18 UTC 2008


Zitat von "vuser1 at test123.ru" <vuser1 at test123.ru>:

> Jan Schneider wrote:
>> Zitat von "vuser1 at test123.ru" <vuser1 at test123.ru>:
>>
>>> When user1 send email signed by certificate issued to user2, IMP  
>>> says that email verification is OK, though there should be  
>>> warning, I think.
>>> ----------
>>> From:     *vuser2 at test123.ru *
>>> To:     vuser1 at test123.ru
>>> Subject:     certificate is not mine!
>>>   This message has been digitally signed via S/MIME.
>>>   The message has been verified. *Sender: vuser1 at test123.ru.*
>>> The S/MIME certificate of Thawte Freemail Member: View/Save in  
>>> your Address Book
>>> Show this HTML in a new window?
>>> -----------
>>> I have certificate issued to vuser2 at test123.ru, imported it to  
>>> vuser1 and send the mail above. Mozilla Thunderbird says that  
>>> message signature is valid, but email address listed in sender  
>>> certificate is different from address that was used to send this  
>>> message.
>>>
>>> Is there an option to say IMP to check sender email?
>>
>> It does that! The verification message clearly shows the  
>> certificate's owner.
>>
>> Jan.
>>
> Yes, it displays owner of cert, but why there is no warning that  
> message has been sent by other person? Definitely it indicates a  
> problem if sender's email is different from address in sender's  
> cerificate.

Not necessarily, a user can send a message on behalf of a larger  
entity that owns the cert. Beside that, there is technically no mean  
to get a message's sender from a MIME viewer (which is used to render  
and verify the signed message) in Horde at the moment.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/



More information about the imp mailing list