lockdown /submit on the network level

[adamdecaf]

Does it make sense to further lockdown the /submit endpoint on a networking level? The private key is required to post, but do we want it exposed out to the open as the other endpoints are?

[rot256]

I suppose you could cause DoS (verifying PGP signatures is not cheap), but I like the simplicity of not having to supply credentials.
Furthermore if we required that the submitter supply credentials then https becomes a must.

I have considered it, but fell on the side of simplicity and usability.