On 4/29/13 5:40 AM, Ian Eiloart wrote:
> Also, what kind of secure list would have automated processing of
> message content as a requirement? If a message is gpg encrypted, then
> every sender would require the public keys of every recipient, would
> they not? Which means that a PKI for the list h
Ian Eiloart writes:
> Also, what kind of secure list would have automated processing of
> message content as a requirement?
Precisely, a list that wants to avoid this requirement:
> If a message is gpg encrypted, then every sender would require the
> public keys of every recipient, would the
On 29.04.2013 11:40, Ian Eiloart wrote:
> Also, what kind of secure list would have automated processing of
> message content as a requirement?
imho you're asking the wrong question ;-) _All_ network communication
should be encrypted, it is a pity that mail encryption is so little adopted.
> If
On 27 Apr 2013, at 14:40, Richard Wackerbarth wrote:
> I don't think that "we" have the expertise to create a "secure" system. At
> best, we can adopt good practices and provide an obscured traffic stream. I
> consider anything more to be beyond the scope of the MM project.
>
Also, what kind
I don't think that "we" have the expertise to create a "secure" system. At
best, we can adopt good practices and provide an obscured traffic stream. I
consider anything more to be beyond the scope of the MM project.
On Apr 27, 2013, at 8:22 AM, Stefan Schlott wrote:
> On 27.04.2013 06:45, Step
On 27.04.2013 06:45, Stephen J. Turnbull wrote:
> > 2. Your list has elevated security requirements. In this case, you can
> > use gpg-agent to manage the secret key (and its passphrase).
>
> I don't understand what threat you propose to address in this way.
> It's true that you can prevent the
Daniel Kahn Gillmor writes:
> If mailman is storing messages on-disk in an encrypted form, Stefan's
> proposal mitigates the threat of an adversary with offline access to the
> disk (e.g. in the event of server theft or seizure)
OK, it does that.
But in the event of that kind of threat, I thi
On 04/27/2013 12:45 PM, Stephen J. Turnbull wrote:
> Stefan Schlott writes:
>
> > 2. Your list has elevated security requirements. In this case, you can
> > use gpg-agent to manage the secret key (and its passphrase).
>
> I don't understand what threat you propose to address in this way.
> It's
On 04/27/2013 01:36 PM, Stephen J. Turnbull wrote:
> without a complete redesign starting
> from the assumption of encrypted messages whose plain text must
> be exposed as briefly as possible.
At least one project suggests that it may be possible to operate an
encrypted mailing list such that the
Barry Warsaw writes:
> OTOH, maybe that's all security theater. If the Mailman system's
> private key is available to an attacker, then having the encrypted
> message on disk temporarily is probably not going to stop them from
> decrypting it.
It's worse than that. The attacker doesn't need
Stefan Schlott writes:
> 2. Your list has elevated security requirements. In this case, you can
> use gpg-agent to manage the secret key (and its passphrase).
I don't understand what threat you propose to address in this way.
It's true that you can prevent the attacker from getting access to th
On 26.04.2013 20:55, Terri Oda wrote:
> I've been wondering about that... is there any time when the encrypted
> message on disk would be available but the private key not?
As already pointed out, there are (at least) two ways to avoid an
unprotected secret key (or the corresponding pass phrase,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Everyone was sending singed messages so i thought to send one too ;-),
Though my public keys are not available at any key-server.
On Saturday 27 April 2013 12:15 AM, Barry Warsaw wrote:
> On Apr 26, 2013, at 02:09 PM, Stefan Schlott wrote:
>
> > - di
On 04/26/2013 12:45 PM, Barry Warsaw wrote:
OTOH, maybe that's all security theater. If the Mailman system's private key
is available to an attacker, then having the encrypted message on disk
temporarily is probably not going to stop them from decrypting it.
I've been wondering about that... i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Apr 26, 2013, at 02:09 PM, Stefan Schlott wrote:
>- disk queue. I don't remember if mailman persists received (but not
>yet sent) mails on disk.
>
>Addressing the last point, you can either choose to decrypt the mail
>in a later stage, or (if thi
On 25.04.2013 21:10, Abhilash Raj wrote:
>> Abhilash, i don't see any mention in your proposal of how you plan to
>> deal with the secret key material. will there be a way for mailman to
>> use a secret key that is stored in a password-protected form? If so, how?
>>
>> Well I am not quite profic
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 25.04.2013 15:35, Daniel Kahn Gillmor wrote:
> abhilash might have meant that there is a concern that a decrypted
> message could be stored *on disk* in one of the queues, not just
> in memory.
Of course, it's a good idea to decrypt the data as l
On Apr 22, 2013, at 06:24 AM, Richard Wackerbarth wrote:
>I echo Stephen's comments. Although I try to lurk on the #mailman channel
>most of the time, being half a world away from him, I am most likely to be at
>the keyboard after 1100 UTC and before 0200 UTC.
We chatted on #mailman a few days ag
On Thu, Apr 25, 2013 at 7:05 PM, Daniel Kahn Gillmor
wrote:
> On 04/25/2013 04:36 PM, Stefan Schlott wrote:
> > On 25.04.2013 00:14, Abhilash Raj wrote:
> >
> >> 1) When a message is decrypted and then passed on between the queues, it
> >> creates a security threat for the cleartext message is bei
On 04/25/2013 04:36 PM, Stefan Schlott wrote:
> On 25.04.2013 00:14, Abhilash Raj wrote:
>
>> 1) When a message is decrypted and then passed on between the queues, it
>> creates a security threat for the cleartext message is being held in
>> memory, even for a small time in between the runners.
>
On 25.04.2013 00:14, Abhilash Raj wrote:
> 1) When a message is decrypted and then passed on between the queues, it
> creates a security threat for the cleartext message is being held in
> memory, even for a small time in between the runners.
The Mailman server holds the key to decrypt _every_ in
Abhilash Raj writes:
> I made a small list[1]
> [1]: https://gist.github.com/maxking/5455462
I strongly recommend that you put this in your proposal on Melange.
The mentors will all see it on the mentors' list that way, and you
won't get caught short at deadline when Melange crashes.[1]
If yo
Hi all,
I made a small list[1] of deliverable for this project and required changes
in mailman for it. Can you all please review it and comment on how can it
be improved.
Also there are two points that I am not able to think on,
1) When a message is decrypted and then passed on between the queue
Although there might be a place for the use of OpenPGP for identification of
users to the WebUI, such a project would not, in itself, be sufficiently
complex for a GSoC project. If you are interested in such an effort, it would
need to be combined with other (preferably related) aspects of authe
On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote:
> I am a undergrad student interested in OpenPGP integration in mailman as a
> GSOC project this summer.
Here is a semi-related idea; use OpenPGP instead of passwords for
authentication to the web interface, possibly using monkeysphere:
http://
I echo Stephen's comments. Although I try to lurk on the #mailman channel most
of the time, being half a world away from him, I am most likely to be at the
keyboard after 1100 UTC and before 0200 UTC.
However, I strongly suggest that you begin more specific questions on this
mailing list.
Ric
Abhilash Raj writes:
> Can you tell about who is going to mentor this(OpenPGP integration with
> mailman)
I would guess the official mentors are likely to be myself and Wacky
(Richard Wackerbarth). Joost isn't official (why not? -- you get a
T-shirt! :-) but he has expressed interest and offer
Hi all,
Can you tell about who is going to mentor this(OpenPGP integration with
mailman) so that I can discuss a few things about the application? Also
others can you please give me a few suggestion about proposal on the idea
that is discussed in this[1] thread.
[1]:
http://mail.python.org/piperm
Hi Abhilash Raj,
Abhilash Raj raj.abhilash1 at gmail.com schreef:
>On Sun, Apr 7, 2013 at 4:47 AM, Daniel Kahn Gillmor
>wrote:
>> On 04/06/2013 06:53 PM, Paul Wise wrote:
>> > On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote:
>> >
>> >> I am a undergrad student interested in OpenPGP integration
Abhilash Raj writes:
> Can you please point me in some direction to learn about the various
> possible ways to sign a mail and/or encrypt it.
Basically that's going to be MUA-dependent. There are standards for
this (prominently S/MIME aka RFC 5751), but whether MUAs implement it
is MUA-specifi
On Sun, Apr 7, 2013 at 7:46 PM, Stephen J. Turnbull wrote:
> Abhilash Raj writes:
>
> > Well what i want to make it is that whenever a user sends a mail to the
> > list it should be singed with his private key so that it can be verified
> > against his public that he uploads if he wants permiss
Abhilash Raj writes:
> Well what i want to make it is that whenever a user sends a mail to the
> list it should be singed with his private key so that it can be verified
> against his public that he uploads if he wants permissions to post in the
> list.
You mean that the user should sign it h
Thanks all for replying.
On Sun, Apr 7, 2013 at 4:47 AM, Daniel Kahn Gillmor
wrote:
> On 04/06/2013 06:53 PM, Paul Wise wrote:
> > On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote:
> >
> >> I am a undergrad student interested in OpenPGP integration in mailman
> as a
> >> GSOC project this summ
On 04/06/2013 06:53 PM, Paul Wise wrote:
> On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote:
>
>> I am a undergrad student interested in OpenPGP integration in mailman as a
>> GSOC project this summer.
neat, i'm glad to hear it!
> I'm not sure about the scope of your project but you may want t
On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote:
> I am a undergrad student interested in OpenPGP integration in mailman as a
> GSOC project this summer.
Cool!
I'm not sure about the scope of your project but you may want to
review some prior efforts:
http://schleuder2.nadir.org/
http://www.
35 matches
Mail list logo
