Leaving aside DOMSEC, the subject is confusing - a person who
possesses a private key cannot sign "on behalf of" someone else
unless the private key belongs to (and the certificate was
issued to) someone else. Perhaps the subject was intended to
be "Sending on behalf of somebody else"?
In S/MIME v3 there is no connection between "sent by" (the From:
field in the unsigned RFC-822 message header) and "signed by"
(the name(s) contained in the certificate that validates the
signature). V2 required certificates to contain an rfc822
address and for that address to match an unsigned header field;
those limitations were removed in v3. The person named in the
certificate is the one who's signature will be validated;
that person can send email from home or from work, and can
switch jobs or switch ISPs without invalidating message
signatures. Mail servers can rewrite addresses without
invalidating message signatures.
I'm not sure how a message signed by person A could be "sent"
(as opposed to being forwarded or otherwise included as an
attachment) by person B, but if an application were created
that allowed A to sign a message and B to push the button that
sends it to a mail server, that application would not violate
the intent of S/MIME v3. It is the signer's signature, not the
sender's From: address, that is being validated.
Dave
Nagaraj Mandya wrote:
Hi,
Is it possible for a mail being sent by one person
be signed by a different person and still be treated
as a valid signature?
My problem is like this. Any mail that a client
receives signed by a particular person's certificate
should be considered valid by the client irrespective
of who the actual sender is.
Thanks.
--
Regards,
Nagaraj