[Owasp-leaders] Mailing list -> Forum

Rogan Dawes rogan at dawes.za.net
Wed Feb 9 22:28:14 EST 2011

On 2011/02/09 9:32 PM, Jerry Hoff wrote:
> Fair enough, but the solution that is being proposed is a forum +
> mailing list integration.  The only debate on this has been if we can
> post from the mailing list to the forum.  There is a security risk there
> of mail header forgery, but we can either 1) overcome this with a
> technical solution (randomized email addresses) or 2) accept the risk
> and move on. 

Is this not a position that we are in already? i.e. someone can fake
mail headers and send an email to the whole list?

This has clearly been acceptable up to this point, why are we trying to
engineer a foolproof solution on top of an untrustworthy channel (SMTP)?

If you REALLY want to authenticate emails, make people PGP sign them.
But if that really IS a requirement, why have we not been doing it for
the last several years on the mailing list?


More information about the OWASP-Leaders mailing list