Roberto writes: > This 3rd email is yet another variation showing how a digitally > signed email can further be forget without Outlook ever raising > warning flags (follow the hyperlinks for the email's source): Digitally-signed messages cannot be forged. However, only the body of a digitally-signed message is actually included in the text covered by the signature; the headers are excluded. That's not an Outlook idiosyncrasy, it's just the way signed e-mail works. In every screenshot you provide, Outlook correctly identifies the party that created the digital signature. That's what a security-conscious user will check. And the text of the message has not been changed, so the signature is still valid, and no forgery has occurred. I'm afraid I don't see any problem here. Yes, it's inconvenient that one can forge the "From" line of a message, but in secure e-mail, one doesn't rely on the "From" line, anyway, precisely because it can be so easily forged. I suppose it might be nice if Outlook made the discrepancy between the "From" line and the signer's authenticated identity a bit more obvious, but that's not a security breach, just an ergonomic issue. -- Anthony
