Comment 16 for bug 316272
Revision history for this message
| Scott Kitterman (kitterman) wrote Re: [Bug 316272] Re: launchpad should verify gmail or DomainKeys authenticators | #16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
>Even just trusting GMail would make over 40% of our users happy,
>especially now FireGPG has dropped GMail support. I think it is fair to
>say that if we receive an email with a valid DKIM signature from
><email address hidden> then we can reasonably trust that it came from
><email address hidden>.
What's the basis for this claim?
>We are already trusting email providers due to the mechanics of password
>recovery. This may no longer be true when we become a proper OpenID
>relying party (at which point we start trusting the OpenID providers),
>but it is true now.
Not for actions that require authentication. For those you are trusting a gpg signature.
>We probably want a whitelist of domains to trust, or a tick box the user
>can select against their email address to toggle DKIM trust. Whitelist
>would be the best start I think.
Users are absolutely unqualified to make this decision.