[kmail2] [Bug 353317] kMail 5.0: Wrong signature issuer shown for OpenPGP signed mails (SMIME not tested).
m.eik michalke
bugzilla_noreply at kde.org
Thu Oct 29 12:44:29 GMT 2020
https://bugs.kde.org/show_bug.cgi?id=353317
m.eik michalke <bugs.kde.org at ad.gelduntergang.biz> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bugs.kde.org at ad.geldunterga
| |ng.biz
Ever confirmed|0 |1
Version|unspecified |5.13.3
Status|REPORTED |CONFIRMED
--- Comment #2 from m.eik michalke <bugs.kde.org at ad.gelduntergang.biz> ---
i can replicate the issue, i.e., i actually just ran into the same thing, using
kmail 5.13.3. this should be considered as a security issue, as someone can be
tricked into believing an e-mail came from a certain person when it actually
did not.
this probably was less of a problem in 2015, but today web key directory
support (which is a good thing!) automatically imports available OpenPGP keys
into your keyring as soon as you have a fitting mail address in the To: field
of the editor (you don't even have to send a mail). even if those addresses
aren't signed by you, here's a potential for confusion.
kmail should always verify that the sender address is a valid identity of the
OpenPGP key used for signing. i would also add that info to the details.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list