[imp] smime support in Horde 4.0

Nikolaos Milas nmilas at noa.gr
Tue Jan 10 07:02:22 UTC 2012 

On 28/12/2011 12:42 πμ, Nikolaos Milas wrote:

> On 27/12/2011 11:32 μμ, Michael M Slusarz wrote:
>
>> Do you locally have a copy of the signer's certificate?  If not, 
>> there is no way to reliably verify the certificate - anybody can 
>> create a certificate containing the sender's credentials. 
>
> Hmm, not really; If the personal certificate is signed from an 
> official CA, whose certificate is in turn included in the CAfile used 
> for verification (which is the case in our scenario), then the 
> certificate is considered verified. Isn't it?

Hi,

I haven't seen any progress on this issue.

I would like to add that - for example - Thunderbird includes 
functionality to declare a CA certificate as "Trusted", and, 
subsequently, it automatically accepts people's certificates signed by 
that CA as trusted as well.

Similarly, Horde S/MIME extension, since it is using OpenSSL and a 
specific CAfile, should accept as trusted all personal certificates 
signed by any CA included in that CAfile. So, if this is the case (as in 
our case), the message by SMIME should NOT be: "Message verified 
successfully but the signer's certificate could not be verified." but 
"Message verified successfully."

Otherwise, Horde S/MIME should include (similar to Thunderbird) 
functionality to declare certficates as trusted. Currently, even if we 
manually import a (public) personal certificate for a particular person, 
and that person is in our address book, Horde S/MIME insists that 
"...the signer's certificate could not be verified.

So, when Horde S/MIME - as is now - will accept that the signer's 
certificate could be verified?

Additionally, the displayed S/MIME Sender information does not always 
match the mail message sender address. Currently, Horde S/MIME, like 
Mozilla Thunderbird and MS Outlook, actually displays as the "email" the 
*first* address of those included in the Subject Alternative Name 
Extension. Yet, I believe that it should not display the *first* one (of 
the email addresses placed in the Subject Alternative Name Extension ), 
but the one that *matches* the mail message sender's address, if there 
is one. Note that Squirrelmail smime plugin has recently been updated to 
behave like that as well. (Refs: RFC 5280, Sections 4.1.2.6 and 4.2.1.6.)

Please advise.

Thanks,
Nick

More information about the imp mailing list