|
Posted by S. Pidgorny on August 2, 2006, 5:29 am
If you were Registered and logged in, you could reply and use other advanced thread options
The problem is that Outlook is displaying the sender from SMTP headers that
can be different from one who actually signs the e-mail. The reason for that
is because the message content is signed before SMTP headers are added -
which makes total sense and won't change.
Is that the right recap of the issue?
Also - do you see diferent behaviour in another mail clients?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
> Does anyone know if this problem with Outlook Digital Signatures has
> been resolved by Microsoft?
>
> ======================================================
> http://archive.cert.uni-stuttgart.de/archive/bugtraq/2005/03/msg00438.html
>
> http://www.logsat.com/Signatures/emails.asp
> ======================================================
>
> Sounds like a serious problem to me.
>
> I have recently started using digital certificates in OE and MS Outlook
> 2002/2003. It is a great way to send encrypted messages between
> recipients who have certificates. As well, it is a great way to ensure
> who messages are from for identity purposes.
>
> However, I have encountered some problems with some recipients not
> being able to open MS Outlook messages that have been signed (but not
> encrypted). While trying to research the cause of this problem, I came
> across the noted web sites above where the author was trying trying to
> resolve a problem of spoofed "signed" messages that Outlook Express did
> not catch. According to the authors documented correspondence with
> Microsoft, they were not acknowledging the problem.
>
> Anyone know if there is other verification of this problem?
> And, has Microsoft fixed this?
> If true, this is a very serious flaw.
>
| 
XML site map