B
Berugia
Hallo,
during some tests with outlook and X.509 certificate we have found a bug in
Outlook 2000 and Outlook 2003.
Some mail client (ie Mozilla) doesn't control matching between signing
certificate attributes and outgoing e-mail header (while outlook does it).
For example I can send a mail like Mario Rossi, with SMTP address
(e-mail address removed) and i can sign it using a private key associated to a X.509
certificated enrolled to Paolo Verdi with SMTP address (e-mail address removed).
When I receive an e-mail created in this way I expect that the verifying
signature procedure fails giving a message like: certificate is valid, but
signature invalid. In fact the certificate is valid, but I couldn't sign an
e-mail sent from a different SMTP address and from a different sender than
the SMTP address and sender in the certificate attributes. Outlook 200x says
that signature is valid and signing certificate is valid too (outlook
express itself says that the certificate is valid, but the signature is
invalid); it doesn't generate any warning to notify that something is
wrong!!!
I know that configuring outlook to manage signature in mail message is not
so easy because registry manual editing is required. It's very strange that
Outlook 200x control matching between mail header and signing certificate
into outgoing mail message but it doesn't control the same matching into
incoming mail. So I've searched some KB bulletin but i didn't find anything
that can solve this bug. Can someone help me?
I've found these problem both in outlook 2000 installed on Windows 2000
professional (w2k with SP4 and all security patches installed Office 2000
with SP3 and all other security patches installed) and outlook 2003
installed on Windows XP professional (wxp with SP2 and all security patches
installed and office 2003 with SP1 and all security patches installed).
Thanks.
during some tests with outlook and X.509 certificate we have found a bug in
Outlook 2000 and Outlook 2003.
Some mail client (ie Mozilla) doesn't control matching between signing
certificate attributes and outgoing e-mail header (while outlook does it).
For example I can send a mail like Mario Rossi, with SMTP address
(e-mail address removed) and i can sign it using a private key associated to a X.509
certificated enrolled to Paolo Verdi with SMTP address (e-mail address removed).
When I receive an e-mail created in this way I expect that the verifying
signature procedure fails giving a message like: certificate is valid, but
signature invalid. In fact the certificate is valid, but I couldn't sign an
e-mail sent from a different SMTP address and from a different sender than
the SMTP address and sender in the certificate attributes. Outlook 200x says
that signature is valid and signing certificate is valid too (outlook
express itself says that the certificate is valid, but the signature is
invalid); it doesn't generate any warning to notify that something is
wrong!!!
I know that configuring outlook to manage signature in mail message is not
so easy because registry manual editing is required. It's very strange that
Outlook 200x control matching between mail header and signing certificate
into outgoing mail message but it doesn't control the same matching into
incoming mail. So I've searched some KB bulletin but i didn't find anything
that can solve this bug. Can someone help me?
I've found these problem both in outlook 2000 installed on Windows 2000
professional (w2k with SP4 and all security patches installed Office 2000
with SP3 and all other security patches installed) and outlook 2003
installed on Windows XP professional (wxp with SP2 and all security patches
installed and office 2003 with SP1 and all security patches installed).
Thanks.