Open Bug 505990 Opened 16 years ago Updated 3 years ago

Not case sensitive depicted in certificate signature email

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect

Tracking

(Not tracked)

People

(Reporter: frcek, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; cs; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 Build Identifier: Thunderbird 2.0.0.22 (20090605) PepaNovak@email.cz is certified signature (in all places -email server, Thunderbird account and by certificate autority as well), but pepanovak@email.cz is displayed in short describe security Thunderbird window. The name of account is correct (Mr. Pepa Novak). Only main email address is depicted not case sensitive. In received and sended emails as well. Sended email by Thunderbird and received in Outlook the certified signature email addresse is displayed case sensitive. Thunderbird not change it, only displayed it not case sensitive. Reproducible: Always Steps to Reproduce: 1.Do an email account like PepaNovak@email.cz, do Thunderbird account for PepaNovak@email.cz and do certified signature by any certified autority for PepaNovak@email.cz and key in certified signature to Thunderbird 2.Send or receive any email by addresse like certified PepaNovak@email.cz 3.View to this email to certified signature click to certified envelope and you can see pepanovak@email.cz Actual Results: I can see pepanovak@email.cz Expected Results: I like see PepaNovak@email.cz Important only for official contact, like offices. Not function defect.
Status: UNCONFIRMED → NEW
Component: Folder and Message Lists → Security
Ever confirmed: true
QA Contact: folders-message-lists → thunderbird
I agree with Jarda324 - this is a problem as there are several other S/MIME implementations around that perform a correct S/MIME verification (e.g. Apple Mail) and therefore fail if the mailbox-name is written in different case than in the S/MIME certificate. Please note that Thunderbird's behavior violates the way verification is stated in the RFC5750: "The right side of the email address SHOULD be treated as ASCII-case-insensitive." An RFC2821 states: "The local-part of a mailbox MUST BE treated as case sensitive." BTW: Thunderbird does also not check the sender mail address on sending - as it is described in the RFC: "Sending agents SHOULD make the address in the From or Sender header in a mail message match an Internet mail address in the signer's certificate" You can use any sender mail address...
Severity: minor → S3
You need to log in before you can comment on or make changes to this bug.