validation of email vs login via web

[( ``-_-´´ ) -- Fernando]

Hi there, again. 
New thread, new question.

As all of we know, there ain't an easy way to do email identity validation.
Still, we really on email to post/comment to Launchpad.

For an user to post on LP, via web browser, he as to authenticate him/her self with his/her credentials under an SSL cert.

But ANYONE can just send any comment via email to a Bug report or Answer, by simply replying to a static LP address.
Any identity can be easy forged, AFAICS, and cause temporary missinformation by seeming a legit source of information.

It would not be very nice to see fake comments from Mark or any other Canonical member adding feedback to LP.

I can suggest one idea: sent emails should have a "salt" part that would be specific to every user and every bug.
That way it would not be as easy for someone to just forge the To field.
I also know, that this implementation would require a lot of new coding to the email system, and a really large database table just to store the relation of userid, bug/answer and salt.
But Security and Trust should be taken into account.

Thanks for you time, hope this helps and shed some light on this subject.


PS: is there any test server, where one could do this time of tests (forging To, OpenSPF, etc) ?

-- 
BUGabundo  :o)
(``-_-´´)	http://Ubuntu.BUGabundo.net
Linux user #443786    GPG key 1024D/A1784EBB
My new micro-blog @ http://BUGabundo.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : https://lists.ubuntu.com/archives/launchpad-users/attachments/20071210/64f0959b/attachment.pgp