[SM-PLUGINS] smime plugin validation

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

smime plugin 0.7 does not flag the From address when it does not match the signing certificate.  It should.  In fact, RFC2312 says it MUST:

"Receiving agents MUST check that the address in the From header of a mail message matches an Internet mail address in the signer's certificate. "

Certainly this means that the email address proper must match; it's not obvious that the display name must also match - the latter being a bit more complicated - should it match /CN=?  What about /G?  

The requirement is to detect that a message "From: Fred Florgle<fr...@ex...>" but signed by "George J. Hacker Jr. <ge...@ex...>" with a valid certificate is flagged as NOT verified.

I think that in the event of a mismatch, both From: in the message header AND the certificate "verified" line in the S/MIME block should be flagged.

This is something that Squirrelmail could do -- or one could argue that it's openssl's smime -verify that is missing the check.

---------------------------------------------------------
This communication may not represent my employer's views,
if any, on the matters discussed.