[imp] S/MIME IMP doesn't verify sender email?

Harakiri harakiri_23 at yahoo.com
Mon Nov 10 12:46:08 UTC 2008




--- On Sun, 11/9/08, Michael M Slusarz <slusarz at horde.org> wrote:

> > Not necessarily, a user can send a message on behalf
> of a larger entity that owns the cert. Beside that, there is
> technically no mean to get a message's sender from a
> MIME viewer (which is used to render and verify the signed
> message) in Horde at the moment.
> 
> This will be possible in IMP 5 - the MIME Viewer will have
> access to the full MIME message, including headers of the
> base RFC822 part.


The senders address and the certificate e-mail do not need to match. thunderbird or any other e-mail client is using the outdated smime v2 spec. There is actually no requirement that the e-mails must match.

There are multiple reasons for this, the most obvious one is of course that headers are not signed - since the from header isnt signed, everyone can modify it and it does not belong to the signature/certificate validation process. Another factor is, that client certificates are enrolled even without e-mail addresses in the certificate.

I hope IMP does not follow the suggestion by somebody on this list, because currently it does the right thing.


      


More information about the imp mailing list