© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
> > Even just trusting GMail would make over 40% of our users happy,
> > especially now FireGPG has dropped GMail support. I think it is
> > fair to say that if we receive an email with a valid DKIM
> > signature from <email address hidden> then we can reasonably trust that it
> > came from <email address hidden>.
>
> What's the basis for this claim?
I can't speak for Stuart, but I would say something like:
- We trust Google to authenticate users.
- We trust that Google only DKIM signs messages from authenticated
users.
- If the DKIM signature on incoming email from Gmail validates, and
that the From: header is amongst the list of signed headers, we are
willing to trust that the From: header is valid, and act on the body
of the message accordingly.
Additionally, before being able to interact with Bugs from Gmail:
- The user must have confirmed their Gmail email address with
Launchpad.
- The user therefore trusts Gmail to authenticate him or herself,
because password resets can be performed by email.
(On this point it is possible that users are not aware of the trust
they place in their email provider, and it may be worth reminding
users of this.)
> > We are already trusting email providers due to the mechanics of
> > password recovery. This may no longer be true when we become a
> > proper OpenID relying party (at which point we start trusting the
> > OpenID providers), but it is true now.
>
> Not for actions that require authentication. For those you are
> trusting a gpg signature.
I don't understand. Password recovery requires neither authentication
nor a gpg signature.
> > We probably want a whitelist of domains to trust, or a tick box
> > the user can select against their email address to toggle DKIM
> > trust. Whitelist would be the best start I think.
>
> Users are absolutely unqualified to make this decision.
Why? Suppose Launchpad gains the ability to trust DKIM signatures from
Gmail, but by default it is switched off. As a Gmail user I might like
to opt in to that for the convenience. The implications could be
explained to me at the point that I choose to opt in.
I am very keen for a feature like this to work, because it would be
really good for a huge proportion of Launchpad's users (including
me). I'm aware that security and convenience are perhaps being traded
off here.
Scott Kitterman wrote on 2010-06-01:
> If you think this is OK from a security perspective you really don't
> understand what DKIM is doing.
>
> Additionally, if you read the RFC, it says explicitly that a broken
> signature should be treated just like no signature at all, so if you
> think broken signatures are meaningful, you are misunderstanding the
> RFC.
I don't think that anyone proposed that broken signatures be treated
as useful in any way.
Scott, it seems you have the expertise. Please help us understand if
there *is* a way we can obtain a level of trust via DKIM sufficient to
allow users to interact with Launchpad via email. If not, why? If only
so that we don't have this same conversation again in 6 months.