Open Bug 943052 Opened 11 years ago Updated 10 years ago

Implement the ability to verify signed emails to authenticate the sender

Categories

(Bugzilla :: Incoming Email, enhancement)

Product:
Bugzilla
Component:
Incoming Email
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

People

(Reporter: LpSolit, Unassigned)

Details

email_in.pl lets you create and update bugs by email, but we currently have no authentication mechanism to verify that the sender is really who he pretends to be. This means that many public installations probably don't use email_in.pl to avoid spam/impersonation. We should allow users to upload their public PGP key (via the web interface!) so that Bugzilla can later verify that the sender of the incoming email is really the one he pretends to be. A parameter could control how email_in.pl works: accept all incoming emails or only signed ones or nothing (disabled).
We could use Crypt::OpenPGP. It's a pity it has so many dependencies, though.
For compatibility with the bmo's SecureMail extension, we should add the profiles.public_key column, of type LONGTEXT. This doesn't mean we must accept strings which are 16 MB long. :)
You need to log in before you can comment on or make changes to this bug.