>
> > >
> > > Vincenzo: S/MIME code?
> >
> > This mailet (server side signing) is properly working, and just needs to be
> > javadoc enhanced and some ho-to documentation. But as I found a problem
> > with Outlook Express
> <snip>
> > because it considers as a tampering the fact of
> > having the signature not coming from the sender,
>
> <snip>
> Which it actually should according to the S/MIME standard (RFC-2632):
>
> Sending agents SHOULD make the address in the From or Sender header
> in a mail message match an Internet mail address in the signer's
> certificate. Receiving agents MUST check that the address in the From
> or Sender header of a mail message matches an Internet mail address
> in the signer's certificate, if mail addresses are present in the
> certificate. A receiving agent SHOULD provide some explicit alternate
> processing of the message if this comparison fails, which may be to
> display a message that shows the recipient the addresses in the
> certificate or other certificate details.
>
I wasn't precise:
a) the unsigned message comes with a
From: [EMAIL PROTECTED]
header;
b) the mailet adds a
Sender: "Trusted Server" <[EMAIL PROTECTED]>
header and
c) the mailet signs as
[EMAIL PROTECTED]
Obviously it is all parameterized.
This was done on purpose to comply with RFC-2632 (the Sender header is the same as the
Internet mail address in the signer's certificate), but Outlook Express ignores the
Sender header and checks only the From header.
Vincenzo
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
