Created attachment 1707 [details] gpg signed mail from wrong sender verifying correctly without warning claws-mail does correctly verify the signature status for emails, so it shows "Good Signature from <signature key primary address>". it does not, however, verify the actual from/sender address is one of the addresses in the signature key. i have attached two email messages (one GPG, one S/MIME) that verify as correctly signed messages, but each have a From: address that is not one of the addresses in the smime certificate/gpg key. expected behaviour: the signature status should include a warning that the from address is none of the addresses in the signature key.
Created attachment 1708 [details] smime email from wrong sender verifying correctly without warning (there doesn't seem to be an option to upload more than one attachment when creating a bug, so this one separate)
It is irrelevant. A key doesn't even need to have an email address associated with it.
you're right, keys/certs don't neccessarily have addresses associated with them, but many certificate authorities only sign S/MIME certs that have mail addresses included and validate the email addresses. so what i'm trying to say is: i know that it's not given that each certificate has email addresses attached, but it's a use case many organisations i've been to have and they require that i can't send an email in your name, signed as me and have it get a green verification badge. or, put another way: the way you see it, it's the S/MIME certificate alone that verifies someones identity, and possible mismatches between mail addresses (that i as a user see, but that are irrelevant to the protocol?) are to be ignored; is that right?
Re-opened and re-categorised under Plugins/Privacy/SMIME because this may be an issue with S/MIME.