Re: Security Flaw with Digital Signatures in Outlook
From: Roberto Franceschetti (roberto_remove_n.o.s.p.a.m_tag_at_logsat.com)
Date: 02/18/05
- Next message: neo [mvp outlook]: "Re: How to change OWA logon screen"
- Previous message: R.A.: "Re: SMTP Server Remote Queue Length Alert on SERVER"
- In reply to: GT: "Re: Security Flaw with Digital Signatures in Outlook"
- Next in thread: Andrew Mitchell: "Re: Security Flaw with Digital Signatures in Outlook"
- Reply: Andrew Mitchell: "Re: Security Flaw with Digital Signatures in Outlook"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 18 Feb 2005 04:48:42 GMT
GT,
Outlook is the only email client that does not compare the from address to
the address in the digital signature. The issue is not with the RFCs and
S/MIME. The RFCs simply provide technical rules on how to ensure that the
body of an email is not modified, they are not technically "digital
signatures".
All will be much clearer if you look at the help files for both Outlook
Express (which *does* verify that the sender's address is the same as the
one in the digital signature) and Outlook's documentation. They both
*clearly* state that the digital signature is used to prove the sender's
identity. Identity which I've proved in Outlook can be modified without
Outlook reporting it.
The key phrases in the following snippets of documentation are:
By using digital IDs with Outlook Express, you can prove your identity in
electronic transactions in a way that is similar to showing your driver's
license
and
This proves to the recipient that the
message is from you and not from an imposter
As you see the documentation clearly states that digital IDs are used also
to ensure the sender is not an impostor... And they are not talking about
RFCs there...
Let's look at Outlook Express' documentation:
***************************************
Sending secure messages
As more people send confidential information by e-mail, it is increasingly
important to be sure that documents sent in e-mail are not forged, and to be
certain that messages you send cannot be intercepted and read by anyone
other than your intended recipient.
By using digital IDs with Outlook Express, you can prove your identity in
electronic transactions in a way that is similar to showing your driver's
license when you cash a check.
***************************************
and now the bigger brother Outlook:
***************************************
This is also made very clear in the Outlook help file
(http://office.microsoft.com/assistance/hfws.aspx?AssetID=HP052423541033
&CTT=1&Origin=EC010230001033&QueryID=XUI66rUx90):
Digitally sign messages
Digitally signing a message applies your certificate (certificate: A
digital means of proving your identity. When you send a digitally signed
message you are sending your certificate and public key. Certificates
are issued by a certification authority, and like a driver's license,
can expire or be revoked.) (with the public key (public key: The key a
sender gives to a recipient so that the recipient can verify the
sender's signature and confirm that the message was not altered.
Recipients also use the public key to encrypt (lock) e-mail messages to
the sender.)) to the message. This proves to the recipient that the
message is from you and not from an imposter and that the message has
not been altered. Encrypting (encrypt: The process of converting plain,
readable text into cipher (scrambled) text. The sender uses the
recipient's public key to encrypt (lock) the e-mail message and
attachments.) a message is a separate process.
***************************************
Roberto Franceschetti
"GT" <DSS4u@+++nospam+++HOTMAIL.COM> wrote in message
news:DkdRd.24458$4I5.1120858@news20.bellglobal.com...
> It appears to me that you do not accept MS' interpretation of the RFC.
> They are saying that the headers (which include the sender's address) are
> not supposed to be covered by the digital signature. If they are correct
> then it is behaving normally. This means that you must click on the
> signature to verify that it is from the right person. This actually makes
> some sense to me. If we draw an analogy with a letter, the envelope
> itself is not signed. You must look inside for the signature.
>
- Next message: neo [mvp outlook]: "Re: How to change OWA logon screen"
- Previous message: R.A.: "Re: SMTP Server Remote Queue Length Alert on SERVER"
- In reply to: GT: "Re: Security Flaw with Digital Signatures in Outlook"
- Next in thread: Andrew Mitchell: "Re: Security Flaw with Digital Signatures in Outlook"
- Reply: Andrew Mitchell: "Re: Security Flaw with Digital Signatures in Outlook"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
