[imp] S/MIME IMP doesn't verify sender email?
Jan Schneider
jan at horde.org
Sun Nov 9 09:18:18 UTC 2008
Zitat von "vuser1 at test123.ru" <vuser1 at test123.ru>:
> Jan Schneider wrote:
>> Zitat von "vuser1 at test123.ru" <vuser1 at test123.ru>:
>>
>>> When user1 send email signed by certificate issued to user2, IMP
>>> says that email verification is OK, though there should be
>>> warning, I think.
>>> ----------
>>> From: *vuser2 at test123.ru *
>>> To: vuser1 at test123.ru
>>> Subject: certificate is not mine!
>>> This message has been digitally signed via S/MIME.
>>> The message has been verified. *Sender: vuser1 at test123.ru.*
>>> The S/MIME certificate of Thawte Freemail Member: View/Save in
>>> your Address Book
>>> Show this HTML in a new window?
>>> -----------
>>> I have certificate issued to vuser2 at test123.ru, imported it to
>>> vuser1 and send the mail above. Mozilla Thunderbird says that
>>> message signature is valid, but email address listed in sender
>>> certificate is different from address that was used to send this
>>> message.
>>>
>>> Is there an option to say IMP to check sender email?
>>
>> It does that! The verification message clearly shows the
>> certificate's owner.
>>
>> Jan.
>>
> Yes, it displays owner of cert, but why there is no warning that
> message has been sent by other person? Definitely it indicates a
> problem if sender's email is different from address in sender's
> cerificate.
Not necessarily, a user can send a message on behalf of a larger
entity that owns the cert. Beside that, there is technically no mean
to get a message's sender from a MIME viewer (which is used to render
and verify the signed message) in Horde at the moment.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the imp
mailing list