Hi there, again. New thread, new question. As all of we know, there ain't an easy way to do email identity validation. Still, we really on email to post/comment to Launchpad. For an user to post on LP, via web browser, he as to authenticate him/her self with his/her credentials under an SSL cert. But ANYONE can just send any comment via email to a Bug report or Answer, by simply replying to a static LP address. Any identity can be easy forged, AFAICS, and cause temporary missinformation by seeming a legit source of information. It would not be very nice to see fake comments from Mark or any other Canonical member adding feedback to LP. I can suggest one idea: sent emails should have a "salt" part that would be specific to every user and every bug. That way it would not be as easy for someone to just forge the To field. I also know, that this implementation would require a lot of new coding to the email system, and a really large database table just to store the relation of userid, bug/answer and salt. But Security and Trust should be taken into account. Thanks for you time, hope this helps and shed some light on this subject. PS: is there any test server, where one could do this time of tests (forging To, OpenSPF, etc) ? -- BUGabundo :o) (``-_-´´) http://Ubuntu.BUGabundo.net Linux user #443786 GPG key 1024D/A1784EBB My new micro-blog @ http://BUGabundo.net
Attachment:
signature.asc
Description: This is a digitally signed message part.
This is the launchpad-users mailing list archive — see also the general help for Launchpad.net mailing lists.
(Formatted by MHonArc.)