Harakiri wrote:
--- On Sun, 11/9/08, Michael M Slusarz <[EMAIL PROTECTED]> wrote:
Beside that, there is
technically no mean to get a message's sender from a
MIME viewer (which is used to render and verify the signed
message) in Horde at the moment.
This will be possible in IMP 5 - the MIME Viewer will have
access to the full MIME message, including headers of the
base RFC822 part.
The senders address and the certificate e-mail do not need to match.
thunderbird or any other e-mail client is using the outdated smime v2 spec.
There is actually no requirement that the e-mails must match.
There are multiple reasons for this, the most obvious one is of course that
headers are not signed - since the from header isnt signed, everyone can modify
it and it does not belong to the signature/certificate validation process.
Another factor is, that client certificates are enrolled even without e-mail
addresses in the certificate.
I hope IMP does not follow the suggestion by somebody on this list, because
currently it does the right thing.
Of coures MIME headers are not signed and RFC does not reqiure
validation of "From:" fied. RFC is technical standard. The standard does
not *prohibit *sender address warning. From the user perspective, it is
good to be warned that From: is different from certificate holder. IMP
is for people. Please, take this consideration during IMP5
implementation. It could be an option in config, for example - do
warning or not. A lot IMP installations will turn this option on, I think.
--
IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: [EMAIL PROTECTED]
