Zitat von Nikolaos Milas <nmi...@noa.gr>:
On 28/12/2011 12:42 πμ, Nikolaos Milas wrote:
On 27/12/2011 11:32 μμ, Michael M Slusarz wrote:
Do you locally have a copy of the signer's certificate? If not,
there is no way to reliably verify the certificate - anybody can
create a certificate containing the sender's credentials.
Hmm, not really; If the personal certificate is signed from an
official CA, whose certificate is in turn included in the CAfile
used for verification (which is the case in our scenario), then the
certificate is considered verified. Isn't it?
Hi,
I haven't seen any progress on this issue.
I would like to add that - for example - Thunderbird includes
functionality to declare a CA certificate as "Trusted", and,
subsequently, it automatically accepts people's certificates signed
by that CA as trusted as well.
Similarly, Horde S/MIME extension, since it is using OpenSSL and a
specific CAfile, should accept as trusted all personal certificates
signed by any CA included in that CAfile. So, if this is the case
(as in our case), the message by SMIME should NOT be: "Message
verified successfully but the signer's certificate could not be
verified." but "Message verified successfully."
Otherwise, Horde S/MIME should include (similar to Thunderbird)
functionality to declare certficates as trusted. Currently, even if
we manually import a (public) personal certificate for a particular
person, and that person is in our address book, Horde S/MIME insists
that "...the signer's certificate could not be verified.
So, when Horde S/MIME - as is now - will accept that the signer's
certificate could be verified?
This has nothing to do with Horde. All veryfication is done via OpenSSL.
Additionally, the displayed S/MIME Sender information does not
always match the mail message sender address. Currently, Horde
S/MIME, like Mozilla Thunderbird and MS Outlook, actually displays
as the "email" the *first* address of those included in the Subject
Alternative Name Extension. Yet, I believe that it should not
display the *first* one (of the email addresses placed in the
Subject Alternative Name Extension ), but the one that *matches* the
mail message sender's address, if there is one. Note that
Squirrelmail smime plugin has recently been updated to behave like
that as well. (Refs: RFC 5280, Sections 4.1.2.6 and 4.2.1.6.)
This is not trivial, because the cert doesn't know anything about it's
envelope, i.e. the e-mail message.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
--
IMP mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: imp-unsubscr...@lists.horde.org
