>>>>> "Javier" == Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> writes:
Javier> If spam e-mail is going to start closing our Bugs in the
Javier> BTS then we should start thinking about implementing
Javier> authentication checks in the BTS... like for example: do
Javier> not allow control messages or -close messages with no
Javier> attached (valid) GPG/PGP signatures (from a valid
Javier> developer?)"
Would a GPG signature help in the long run?
The BTS closes bugs based on the address in the SMTP recipient field.
This is not GPG protected.
So a Spammer could copy an existing email from an existing developer
from mailing list archives, forge his email address, and resend
it. The signature remains valid, and the bug will still be closed.
GPG signatures don't protect data that isn't protected (such as mail
headers or SMTP session), and it doesn't protect against replay
attacks (unless you add some other mechanism, e.g. include the date
and time in the protected part of the message).
--
Brian May <[EMAIL PROTECTED]>
