[imp] smime support in Horde 4.0

Jan Schneider jan at horde.org
Tue Jan 10 13:16:46 UTC 2012 

Zitat von Nikolaos Milas <nmilas at noa.gr>:

> On 28/12/2011 12:42 πμ, Nikolaos Milas wrote:
>
>> On 27/12/2011 11:32 μμ, Michael M Slusarz wrote:
>>
>>> Do you locally have a copy of the signer's certificate?  If not,  
>>> there is no way to reliably verify the certificate - anybody can  
>>> create a certificate containing the sender's credentials.
>>
>> Hmm, not really; If the personal certificate is signed from an  
>> official CA, whose certificate is in turn included in the CAfile  
>> used for verification (which is the case in our scenario), then the  
>> certificate is considered verified. Isn't it?
>
> Hi,
>
> I haven't seen any progress on this issue.
>
> I would like to add that - for example - Thunderbird includes  
> functionality to declare a CA certificate as "Trusted", and,  
> subsequently, it automatically accepts people's certificates signed  
> by that CA as trusted as well.
>
> Similarly, Horde S/MIME extension, since it is using OpenSSL and a  
> specific CAfile, should accept as trusted all personal certificates  
> signed by any CA included in that CAfile. So, if this is the case  
> (as in our case), the message by SMIME should NOT be: "Message  
> verified successfully but the signer's certificate could not be  
> verified." but "Message verified successfully."
>
> Otherwise, Horde S/MIME should include (similar to Thunderbird)  
> functionality to declare certficates as trusted. Currently, even if  
> we manually import a (public) personal certificate for a particular  
> person, and that person is in our address book, Horde S/MIME insists  
> that "...the signer's certificate could not be verified.
>
> So, when Horde S/MIME - as is now - will accept that the signer's  
> certificate could be verified?

This has nothing to do with Horde. All veryfication is done via OpenSSL.

> Additionally, the displayed S/MIME Sender information does not  
> always match the mail message sender address. Currently, Horde  
> S/MIME, like Mozilla Thunderbird and MS Outlook, actually displays  
> as the "email" the *first* address of those included in the Subject  
> Alternative Name Extension. Yet, I believe that it should not  
> display the *first* one (of the email addresses placed in the  
> Subject Alternative Name Extension ), but the one that *matches* the  
> mail message sender's address, if there is one. Note that  
> Squirrelmail smime plugin has recently been updated to behave like  
> that as well. (Refs: RFC 5280, Sections 4.1.2.6 and 4.2.1.6.)

This is not trivial, because the cert doesn't know anything about it's  
envelope, i.e. the e-mail message.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/

More information about the imp mailing list