| Summary | PGP and message verification |
| Queue | IMP |
| Queue Version | HEAD |
| Type | Bug |
| State | Not A Bug |
| Priority | 1. Low |
| Owners | |
| Requester | adrieder (at) sbox (dot) tugraz (dot) at |
| Created | 02/16/2006 (7106 days ago) |
| Due | |
| Updated | 06/21/2006 (6981 days ago) |
| Assigned | |
| Resolved | 02/17/2006 (7105 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | No |
adresses don't match
the one or one to wich the sinature belongs, IMP still tells me "The
message has been verified."
Shouldn't it complain that the from address does not match the signature?
security question.
I give you SMIME for example, SMIME v2 said - email and certificate
email must match. SMIME v3 says, its no longer required.
The big plus for PGP was always that you are not bound to the
certificate email address (for encrypting i.e.)
To return to your original question - lets assume you have a group
account with multiple members but only the pgp signing key for the
group itself (lets say support) do you think that the signature is
invalid just because it was send by joe average from the support group
? No. generally speaking - everyone who has the secret key is normally
authorized to sign a message no matter which email address he uses
State ⇒ Unconfirmed
Priority ⇒ 1. Low
Type ⇒ Bug
Summary ⇒ PGP and message verification
Queue ⇒ IMP
the one or one to wich the sinature belongs, IMP still tells me "The
message has been verified."
Shouldn't it complain that the from address does not match the signature?