https://bugs.kde.org/show_bug.cgi?id=278973

           Summary: Signature check doesn't check against From: e-mail
                    address
           Product: kmail2
           Version: 2.1.0
          Platform: openSUSE RPMs
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: crypto
        AssignedTo: kdepim-bugs@kde.org
        ReportedBy: bernd.paysan@gmx.de


Version:           2.1.0 (using KDE 4.7.0) 
OS:                Linux

Send a signed e-mail from a new account, and use the old PGP key without adding
the new e-mail account to the list. This will show up as "green" at the
receiver side, since the signature itself is valid, but there's no check
against the e-mail originator. Click on "details" shows only the main e-mail
address, so when the key is used for a bunch of different addresses, this is
still misleading.

Reproducible: Always

Steps to Reproduce:
Send a signed e-mail from a new account, and use the old PGP key without adding
the new e-mail account to the list - or any other PGP key that doesn't
correspond to the account.

Actual Results:  
Signature check says "ok", message in green.

Expected Results:  
Signature checks says "ok" for the actual mail content, but should warn about
discrepancy between e-mail address and public key - message should be in red.
Just imagine a browser would report green on SSL when the site "ebay.com"
presents a valid certificate for "3vi1.h4ck0r.com".

Haven't checked, but seems to be that this problem has been there for ages. To
be honest, Thunderbird/enigmail has the same bug.

-- 
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.