At 01:09 PM 4/6/2004, Markus Stumpf wrote:
On Tue, Apr 06, 2004 at 12:16:52PM -0700, Mark Baugher wrote:
> At 11:54 AM 4/6/2004, Markus Stumpf wrote:
> >Maybe I'm missing something here, but isn't that exactly what PGP and
> >S/MIME does? (ok, it validates the user, not only the domain)
>
> No, I don't believe either of these include the From or any header in the
> integrity check of the mail message. At least I don't believe PGP does.
PGP does not check the fields as it only sees the signature, but in the
signature you can store (even multiple) email addresses:
pub 2048R/644A1C35 1996-07-03 Markus Stumpf <maex(_at_)leo(_dot_)org>
uid Markus Stumpf <maex(_at_)lamer(_dot_)de>
uid Markus Stumpf <maex(_at_)space(_dot_)net>
uid Markus Stumpf (LEO) <stumpf(_at_)leo(_dot_)org>
uid Markus Stumpf
<stumpf(_at_)informatik(_dot_)tu-muenchen(_dot_)de>
S/MIME signatures also contain names and eMail-Adresses.
Of course it is in the area of responsibility of the MUA to make the
interconnection between the 2822.from and the information derived from
the signature.
Yes, Phill also pointed out that S/MIME has a similar consistency check on
the 2822 From. My point was that the integrity check does not cover the From.
If it did, it still would not assure us that the sender were authorized to
send mail from that address or forward mail on behalf of that address.
Mark
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"