[imp] S/MIME IMP doesn't verify sender email?

vuser1 at test123.ru vuser1 at test123.ru
Mon Nov 10 18:31:11 UTC 2008


Harakiri wrote:
>
> --- On Sun, 11/9/08, Michael M Slusarz <slusarz at horde.org> wrote:
>
>   
>> Beside that, there is
>> technically no mean to get a message's sender from a
>> MIME viewer (which is used to render and verify the signed
>> message) in Horde at the moment.
>>
>> This will be possible in IMP 5 - the MIME Viewer will have
>> access to the full MIME message, including headers of the
>> base RFC822 part.
>>     
>
>
> The senders address and the certificate e-mail do not need to match. thunderbird or any other e-mail client is using the outdated smime v2 spec. There is actually no requirement that the e-mails must match.
>
> There are multiple reasons for this, the most obvious one is of course that headers are not signed - since the from header isnt signed, everyone can modify it and it does not belong to the signature/certificate validation process. Another factor is, that client certificates are enrolled even without e-mail addresses in the certificate.
>
> I hope IMP does not follow the suggestion by somebody on this list, because currently it does the right thing.
>   

Of coures MIME headers are not signed and RFC does not reqiure 
validation of "From:" fied. RFC is technical standard. The standard does 
not *prohibit *sender address warning. From the user perspective, it is 
good to be warned that From: is different from certificate holder. IMP 
is for people. Please, take this consideration during IMP5 
implementation. It could be an option in config, for example - do 
warning or not. A lot IMP installations will turn this option on, I think.



More information about the imp mailing list