On Friday 16 August 2013 10:35 AM, Stephen J. Turnbull wrote: > Abhilash Raj writes: > > > 1) How do list owner create keys? What parameters? Which address? > > python-gnupg provides a key-generation API, GPG.gen_key(). > Alternatively, this could be done manually by the trusted > site-manager. The web UI would have to run over SSL, presumably > HTTPS. > > I think the address should be $LIST-owner@fqdn. For other parameters, > defaults are OK I think (size=2048, type=RSA IIRC).
Here should not the address be the list's posting address? Like for mm-dev list should it not be "mailman-developers@python.org"? > > About the address I think owner can create a key using posting > > address with a min key length of 1024? or else mailman rejects the > > key? MD5 hash should be discouraged and at least SHA1 should be > > used? (although I found this[1] that even sha1 should not be used) > > Nobody short of a major government can afford to break private keys or > crypto hashes on a regular basis. Otherwise, before they try to break > SHA1, they'll kidnap and torture you (I'm serious about the > calculation they'll make, not that I think it will happen to anybody > we know for several thousand years). > > > 3) How to manage paraphrase(or passwords) for keys? > > > > In previous discussions we decided to use gnupg-agent and I > > although I haven't tried it. Any other suggestions to it? > > I really don't know. As you probably know, files containing host keys > for SSH and other SSL applications don't have passwords, but are > simply made readable only by root. That might be the appropriate > solution here. Otherwise, any reboot takes all lists down until the > owner can be tracked down. > > > Also one more thing while running tests i noticed many other tests are > > breaking as initially a simple message could pass though > > "default-posting-chain" but now we need a multipart/signed message. So > > should I worry about changing all other tests? > > Yes. Conventionally that is the responsibility of the person who adds > a feature. However, there's nothing that says you can't ask Barry for > help. He may know a way to do it quickly. > --- Abhilash Raj _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
