From: tlhackque <tlh...@ya...> - 2009-07-09 21:55:32
|
This is a follow-up to a note that I posted yesterday - the openssl people claim that openssl smime is not an e-mail client, and is not responsible for verifying the From field. So Squirrelmail has to handle it. Patch against smime plugin 0.7, squirrelmail 1.4.17 attached. This patch makes the smime plugin verify that the signer of a message is the sender indicated in the From header, per RFC2312. Note that this is NOT the Sender header - that header (rarely used) is the person responsible for the message being transmitted; From is responsible for the content - and From is who the RFC expects to sign. There is still an issue that RFC822 indicates that From can list multiple authors -- in which case, there would be multiple signers. smime plugin doesn't handle that case, which UAs don't seem to use in practice. But this patch does make the common case work. The patch also changes the highlighting of the "S/MIME Signed By" rows so that they are muted when everything is OK, but emphasized when there is a problem. Finally, it makes the results strings a bit more comprehensible. I hope that someone will integrate this into the smime plugin distribution. (And also integrate the viewcert patch that I also posted yesterday.) Enjoy. --------------------------------------------------------- This communication may not represent my employer's views, if any, on the matters discussed. |