EldoS | Feel safer!

Software components for data protection, secure storage and transfer

From field s/mime

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#14459
Posted: 09/15/2010 07:47:49
by Marcel Talamini (Standard support level)
Joined: 01/30/2010
Posts: 15

Can you tell me where I can find in the specification of S/MIME (RFC-2311) that the address must match the From field.

In our application the address of the sender is different than that of the certificate and with secureblackbox the signing failed.
I have an application from another company, which is written in java, translated. to C# using the secureblackbox assemblies.
In the java application it is possible to have another address in the From field.

I hope my question is clear?

"Certificates of the sender (for signing) are put to certificate storage, Which is then Assigned to PartHandler.EncoderSignCertStorage property. Suche certificates must (a) Have Corresponding private key and (b) include e-mail address Which corresponds to the address in "From" field of the message. "
#14460
Posted: 09/15/2010 08:26:18
by Ken Ivanov (EldoS Corp.)

This fact is stated not in the RFC2311, but in RFC2312:

Quote

End-entity certificates MUST contain an Internet mail address as
described in [RFC-822]. The address must be an "addr-spec" as defined
in Section 6.1 of that specification.

Receiving agents MUST recognize email addresses in the subjectAltName
field. Receiving agents MUST recognize email addresses in the
Distinguished Name field.

Sending agents SHOULD make the address in the From header in a mail
message match an Internet mail address in the signer's certificate.
Receiving agents MUST check that the address in the From header of a
mail message matches an Internet mail address in the signer's
certificate. A receiving agent MUST provide some explicit alternate
processing of the message if this comparison fails, which may be to
reject the message.


Quote
In the java application it is possible to have another address in the From field.

It's up to that Java application.
#14461
Posted: 09/15/2010 09:24:40
by Marcel Talamini (Standard support level)
Joined: 01/30/2010
Posts: 15

Thank you for the quick response.

It is now clear to me.
Can I bypass the rules of RFC2312 when creating an S/MIME message?
#14462
Posted: 09/15/2010 09:42:03
by Ken Ivanov (EldoS Corp.)

Unfortunately, no. As a matter of fact, there is no too much sense in it, as the main intention of signing with a certificate is to confirm the signer's identity. By allowing messages with different From address you eliminate security provided by S/MIME.

Reply

Statistics

Topic viewed 1246 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!