[imp] S/MIME IMP doesn't verify sender email?

[Michael M Slusarz]

Quoting Jan Schneider <jan at horde.org>:

> Zitat von "vuser1 at test123.ru" <vuser1 at test123.ru>:
>
>> Jan Schneider wrote:
>>> Zitat von "vuser1 at test123.ru" <vuser1 at test123.ru>:
>>>
>>>> When user1 send email signed by certificate issued to user2, IMP  
>>>> says that email verification is OK, though there should be  
>>>> warning, I think.
>>>> ----------
>>>> From:     *vuser2 at test123.ru *
>>>> To:     vuser1 at test123.ru
>>>> Subject:     certificate is not mine!
>>>>  This message has been digitally signed via S/MIME.
>>>>  The message has been verified. *Sender: vuser1 at test123.ru.*
>>>> The S/MIME certificate of Thawte Freemail Member: View/Save in  
>>>> your Address Book
>>>> Show this HTML in a new window?
>>>> -----------
>>>> I have certificate issued to vuser2 at test123.ru, imported it to  
>>>> vuser1 and send the mail above. Mozilla Thunderbird says that  
>>>> message signature is valid, but email address listed in sender  
>>>> certificate is different from address that was used to send this  
>>>> message.
>>>>
>>>> Is there an option to say IMP to check sender email?
>>>
>>> It does that! The verification message clearly shows the  
>>> certificate's owner.
>>>
>>> Jan.
>>>
>> Yes, it displays owner of cert, but why there is no warning that  
>> message has been sent by other person? Definitely it indicates a  
>> problem if sender's email is different from address in sender's  
>> cerificate.
>
> Not necessarily, a user can send a message on behalf of a larger  
> entity that owns the cert. Beside that, there is technically no mean  
> to get a message's sender from a MIME viewer (which is used to  
> render and verify the signed message) in Horde at the moment.

This will be possible in IMP 5 - the MIME Viewer will have access to  
the full MIME message, including headers of the base RFC822 part.

michael

-- 
___________________________________
Michael Slusarz [slusarz at horde.org]