Arshad Noor wrote:
>A comment and a question, Bob; the comment: > >My experience with Communicator 4.79 is that it can handle a >certificate that has no E component in the DN (although it does >have the subjectAltName extension) - and will allow you to sign >e-mail (so long as the keyUsage & extendedKeyUsage extensions >permit this). > I know we added subjectAltName as a secondary source of the email address, I just don't remember when. >However, given this, rather unfortunate limitation, it is easy >to create an e-mail that claims to be from anybody you want to be >(by putting in the appropriate e-mail address in the Preferences), >and yet have a validly signed e-mail. If the reader does not >actually click on the "Signed" icon to see who signed it, they >could easily fall into the trap and assume that it was signed by >the sender. > Unless there's a bug, this shouldn't happen. Are you sure this can occur in 4.7x? If so please write a bug report on it (as well as one in mozilla because it's roughly the same code base). The From email address should always be checked against the email address in the certificate. > >The question: are there any plans to fix the existing Communicator >code to validate the From address with the e-mail address in the >subjectAltName? I'm guessing from this thread that the 6.x code >will have that fix. > Currently there is not plans to fix this because because we believe it to be working. As I meantioned earlier, we plan to eventually allow email-less certificates, but we these schemes have to use some trusted 3rd party (the application user, or a directory for instance) to verify the binding between email address and certificate. bob > > >Arshad Noor > > >Robert Relyea wrote: > >--snip-- > >>This is hardly the first implementation of S/MIME. We will already face >>the problem that older versions don't even understand subjectAltName, >>yet alone handle a multiple email address to single cert mapping. >> Existing versions of Communicator will downright choke on Certs >>presented as email certs without the email address in the SubjectName. >> >--snip-- >
