[Fwd: Bugmail is less secure than Bug views]

Gervase Markham gerv at mozilla.org
Tue Jun 12 09:57:58 UTC 2007


Max Kanat-Alexander wrote:
> 	Anybody who has an SSL cert and advertises TLS support on their
> mail server receives mail with SSL. They can also make their POP or IMAP
> connections with SSL.

This is true but, as someone commented on the security list, there's no 
way to enforce this. In a sense, it's optional rather than mandatory 
security. It also doesn't help if people have mail forwarding, or if 
they don't have control of their SMTP server (most people).

The way to do this would, I think, be to allow people to associate a 
S/MIME or PGP key with their account, which would then be used to 
encrypt all their bugmail where the bug was in one or more groups.

Sadly, none of these look ideal:
http://search.cpan.org/search?query=smime&mode=all
We need a library where we pass it the message text and the key, and get 
the encrypted text back. Most of them seem centred around files on disk.

Gerv



More information about the developers mailing list