Follow-up Comment #5, sr #110907 (project administration):
TLDR: this looks too complicated to me.
> Often, but the from address is often secured (some newfangled authorised
mail-submission-agent system with DNS, I think) and you can check the security
of the email path in those cases, so if the user has nominated a from address
for a so-secured mail-exchange then you're alright in that case.
I'm not aware of this protocol; at any rate, I believe such things should
cover all users, not part of them.
> I suggested the user might nominate an email signature certificate which
can't be impersonated much more than the website login.
They might, but would it really be more convenient for them?
> Even outside those cases, this is limited to commenting so you can clean up
once you realise that a user has been impersonated
So far, we have neither means to clean up nor the need for it; to say nothing
of the work on detecting the impersonations.
> and change the salts as often as you like. On the occasions that a salt has
been changed before a user replies you can send out a new address for them to
resend their reply to so you can even change the salt very often.
If I change the salt very often, the user won't be able to use it,
and I can't see how it could protect against the interception.
> If you allow this case then you can indicate that the comment has no or
little identity verification so people don't act as if such a comment was an
authority.
I don't think it's a good idea to make our users learn another tracker-related
concept; trackers are already more than sufficiently complicated.
> Alternatively or in-addition, on occasion a user could log in and validate
the identity of comments sent by email and you could make that easy by sending
a digest with a validation link either before or after the emails are spooled
into comments.
If the user has to log in anyway, the usefulness of emails will be very
limited.
> It would still be more practical to converse on development topics than
interrupting a user workflow with website visits and the website login process
injected between thoughts.
It's possible to do that, the emails just don't land in the tracker.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/support/?110907>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
