https://bugs.kde.org/show_bug.cgi?id=353317

m.eik michalke <bugs.kde....@ad.gelduntergang.biz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugs.kde.org@ad.geldunterga
                   |                            |ng.biz
     Ever confirmed|0                           |1
            Version|unspecified                 |5.13.3
             Status|REPORTED                    |CONFIRMED

--- Comment #2 from m.eik michalke <bugs.kde....@ad.gelduntergang.biz> ---
i can replicate the issue, i.e., i actually just ran into the same thing, using
kmail 5.13.3. this should be considered as a security issue, as someone can be
tricked into believing an e-mail came from a certain person when it actually
did not.

this probably was less of a problem in 2015, but today web key directory
support (which is a good thing!) automatically imports available OpenPGP keys
into your keyring as soon as you have a fitting mail address in the To: field
of the editor (you don't even have to send a mail). even if those addresses
aren't signed by you, here's a potential for confusion.

kmail should always verify that the sender address is a valid identity of the
OpenPGP key used for signing. i would also add that info to the details.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to