On 4/11/13 3:23 AM, Stefan Schlott wrote: > On 11.04.2013 06:19, Joost van Baal-Ilić wrote: > >> I am Joost van Baal-Ilić. I create a PGP keypair with ID Barry Warsaw. I >> sent >> the public key to the list server. I sent a mail, signed with the Barry-key, >> encrtypted to the listkey, with From: Barry's email address, to the list. >> The listserver now distributes it to the lists subscribers, yes? The list >> subscribers will believe the message is from Barry. > You would have to do some key confirmation, just like you have to click > a mail confirmation link upon subscription. > > Next problem: Mailman will have to decrypt the message and re-encrypt it > for each recipient. This also strips the signature of the original > sender. How do you show to the recipients that the original message was > signed (in a way which cannot be forged by any other sender)? > > > Generally speaking PGP support would be great, the efforts Joost and I > made about 10 years ago never made it beyond alpha (or beta at best) > stadium... > > > Stefan. > Decrypting and re-encrypting shouldn't break signatures as the sender should First sign the unencrypted message, and then encrypt it. The signature can then be passed on in the re-encrypted message, and people can do their verification of the signature. It is up to each recipient to decide how well they trust the identity of the sender. Digital keys do NOT naturally verify the identity of the sender, the verify that the sender is a possessor of the signing key, and it is the web of trust on the key management side that connects that with an individual identity.
Also, re-encrypting to each recipient isn't as big of a job as it might seem, as actually what happens is a session key is made, and this is used to encrypt the message, the the session key is encrypted with the recipients public-key, so only this last piece needs to be done per recipient. You probably need to send copies individually, or every message will have information about who is subscribed to the list. -- Richard Damon _______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
