[imp] S/MIME IMP doesn't verify sender email?

Harakiri harakiri_23 at yahoo.com
Mon Nov 10 14:55:33 UTC 2008




--- On Mon, 11/10/08, Jan Schneider <jan at horde.org> wrote:

> From: Jan Schneider <jan at horde.org>
> Subject: Re: [imp] S/MIME IMP doesn't verify sender email?
> To: imp at lists.horde.org
> Date: Monday, November 10, 2008, 8:27 AM
> Zitat von Harakiri <harakiri_23 at yahoo.com>:
> 
> > 
> > 
> > 
> > --- On Sun, 11/9/08, Michael M Slusarz
> <slusarz at horde.org> wrote:
> > 
> >> > Not necessarily, a user can send a message on
> behalf
> >> of a larger entity that owns the cert. Beside
> that, there is
> >> technically no mean to get a message's sender
> from a
> >> MIME viewer (which is used to render and verify
> the signed
> >> message) in Horde at the moment.
> >> 
> >> This will be possible in IMP 5 - the MIME Viewer
> will have
> >> access to the full MIME message, including headers
> of the
> >> base RFC822 part.
> > 
> > 
> > The senders address and the certificate e-mail do not
> need to match. thunderbird or any other e-mail client is
> using the outdated smime v2 spec. There is actually no
> requirement that the e-mails must match.
> > 
> > There are multiple reasons for this, the most obvious
> one is of course that headers are not signed - since the
> from header isnt signed, everyone can modify it and it does
> not belong to the signature/certificate validation process.
> Another factor is, that client certificates are enrolled
> even without e-mail addresses in the certificate.
> > 
> > I hope IMP does not follow the suggestion by somebody
> on this list, because currently it does the right thing.
> 
> Good to know! Can you point to some specs or RFCs, for the
> records?
> 
> Jan.

Obvious RFC would be http://www.ietf.org/rfc/rfc2633.txt - it doesnt say anything about verifying the from header and the certificate.

> 
> --Do you need professional PHP or Horde consulting?
> http://horde.org/consulting/
> 
> --
> IMP mailing list - Join the hunt:
> http://horde.org/bounties/#imp
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org


      


More information about the imp mailing list