[imp] S/MIME IMP doesn't verify sender email?
Jan Schneider
jan at horde.org
Mon Nov 10 13:27:29 UTC 2008
Zitat von Harakiri <harakiri_23 at yahoo.com>:
>
>
>
> --- On Sun, 11/9/08, Michael M Slusarz <slusarz at horde.org> wrote:
>
>> > Not necessarily, a user can send a message on behalf
>> of a larger entity that owns the cert. Beside that, there is
>> technically no mean to get a message's sender from a
>> MIME viewer (which is used to render and verify the signed
>> message) in Horde at the moment.
>>
>> This will be possible in IMP 5 - the MIME Viewer will have
>> access to the full MIME message, including headers of the
>> base RFC822 part.
>
>
> The senders address and the certificate e-mail do not need to match.
> thunderbird or any other e-mail client is using the outdated smime
> v2 spec. There is actually no requirement that the e-mails must match.
>
> There are multiple reasons for this, the most obvious one is of
> course that headers are not signed - since the from header isnt
> signed, everyone can modify it and it does not belong to the
> signature/certificate validation process. Another factor is, that
> client certificates are enrolled even without e-mail addresses in
> the certificate.
>
> I hope IMP does not follow the suggestion by somebody on this list,
> because currently it does the right thing.
Good to know! Can you point to some specs or RFCs, for the records?
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the imp
mailing list