[Bug 278973] New: Signature check doesn't check against From: e-mail address
Bernd Paysan
bernd.paysan at gmx.de
Sun Jul 31 22:54:42 BST 2011
https://bugs.kde.org/show_bug.cgi?id=278973
Summary: Signature check doesn't check against From: e-mail
address
Product: kmail2
Version: 2.1.0
Platform: openSUSE RPMs
OS/Version: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: crypto
AssignedTo: kdepim-bugs at kde.org
ReportedBy: bernd.paysan at gmx.de
Version: 2.1.0 (using KDE 4.7.0)
OS: Linux
Send a signed e-mail from a new account, and use the old PGP key without adding
the new e-mail account to the list. This will show up as "green" at the
receiver side, since the signature itself is valid, but there's no check
against the e-mail originator. Click on "details" shows only the main e-mail
address, so when the key is used for a bunch of different addresses, this is
still misleading.
Reproducible: Always
Steps to Reproduce:
Send a signed e-mail from a new account, and use the old PGP key without adding
the new e-mail account to the list - or any other PGP key that doesn't
correspond to the account.
Actual Results:
Signature check says "ok", message in green.
Expected Results:
Signature checks says "ok" for the actual mail content, but should warn about
discrepancy between e-mail address and public key - message should be in red.
Just imagine a browser would report green on SSL when the site "ebay.com"
presents a valid certificate for "3vi1.h4ck0r.com".
Haven't checked, but seems to be that this problem has been there for ages. To
be honest, Thunderbird/enigmail has the same bug.
--
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list