From: tlhackque <tlh...@ya...> - 2009-07-09 12:24:53
|
smime plugin 0.7 does not flag the From address when it does not match the signing certificate. It should. In fact, RFC2312 says it MUST: "Receiving agents MUST check that the address in the From header of a mail message matches an Internet mail address in the signer's certificate. " Certainly this means that the email address proper must match; it's not obvious that the display name must also match - the latter being a bit more complicated - should it match /CN=? What about /G? The requirement is to detect that a message "From: Fred Florgle<fr...@ex...>" but signed by "George J. Hacker Jr. <ge...@ex...>" with a valid certificate is flagged as NOT verified. I think that in the event of a mismatch, both From: in the message header AND the certificate "verified" line in the S/MIME block should be flagged. This is something that Squirrelmail could do -- or one could argue that it's openssl's smime -verify that is missing the check. --------------------------------------------------------- This communication may not represent my employer's views, if any, on the matters discussed. |