Hi, the requirement to use OpenPGP encryption has been somewhat annoying for me personally in the past, especially because it did not allow me to read mirror-related e-mails (sometimes relatively time-critical ones) on my smartphone. This has happened to me on vacation in another country (I don't have a laptop) and at the local university, during breaks that I could have used to fix a problem if I had known which one it was.
Also, the information shared via encrypted e-mail about my mirror in any direction has never been so confidential that encryption would have been necessary in my opinion. I know that it is probably best to encrypt all communication to prevent an attacker (e.g. NSA) from understanding which e-mails are really interesting, but the cost of encryption has outweighed the benefits for me so far. What I'd absolutely keep, though, is the *signing* of e-mails. I need to be able to check if a request has really been sent by the undersigning person. If can be sure that the request is valid (e.g. "your server is down") without verifying the OpenPGP signature, I might react directly (e.g. restart the server) instead of verifying the signature. If I can't, I must verify the signature. Also, I hope that the same level of verification is applied when I send an e-mail about my mirror. If I quote the sender's e-mail in my reply and simply confirm fixing a problem, checking my signature might be unnecessary. If I request the removal of my mirror from the pool, I really hope that the request will be properly verified. If my signature is missing, I hope that I'd be asked to provide a valid OpenPGP signature, a message on my website or whatever else would be sufficient to identify me as the sender of the request. Sending and receiving encrypted e-mails is rather annoying, sending and receiving signed e-mails is necessary, I'd say. Best regards, Tobias Frei 2016-03-04 20:18 GMT+01:00 intrigeri <[email protected]>: > Hi, > > We'll soon be in a position to add more servers to the pool of HTTP > mirrors that server our ISO images and IUKs. Before I publish the > corresponding call for help, and get in touch with operators of > potential fast mirrors (#11079), I'd like to make sure we get the > requirements right. > > So far, we (or was it perhaps just me?) have insisted on having a way > to communicate using OpenPGP with each operator of a HTTP mirror in > our pool. I'm starting to question this. [In case anyone here didn't > get that memo: yes, it often takes me years to change my mind.] > > This requirement has one clear disadvantage: it excludes some fast > mirrors, e.g. lots of those that are run in universities (I have to > trust people who are more in touch with operators of such candidate > mirrors, on this one, as I have personally no idea). Also, on our side > it adds to the burden of maintaining our pool of mirrors: maintaining > a keyring isn't easy, and it gets quite hard if one wants to try to do > it seriously. > > We are in the process of dropping at least another requirement of ours > (the need for a dedicated hostname) that might have been a blocker, so > I think it's time to check our list of requirements. > > I think the main advantages of requiring OpenPGP -enabled > communication with mirror operators are: > > * We can authenticate requests sent to us by mirror operators: e.g. > "please remove my mirror from the pool", that could otherwise be > used to degrade our pool of mirrors, just by spoofing the sender > address. > > - Are we seriously checking the OpenPGP signature on such requests? > I used to do it, and used to require a good trust path for key > updates, but I am under the impression that this might all have > been handled in a more flexible way recently. sajolida? > > - Perhaps we would notice if too many mirrors were removed (this > calls for a monitoring check, I guess), and perhaps mirror > operators would notice if they don't get the traffic they expect? > IOW, perhaps we have other ways to avoid such attacks from being > effective enough to be attractive in the first place. > > * Mirror operators can authenticate instructions we send them, e.g. > "please add this option to your nginx configuration". Without this, > anyone can quite trivially DoS our pool of HTTP mirrors, until > someone notices. The thing is, we have no idea if the operators of > our mirrors check this, i.e. whether they would notice if some > email apparently coming from us was not signed. > > * More? > > I'm now less convinced that these advantages are worth the drawbacks, > and could be ready to drop the OpenPGP communication requirement. > > Thoughts? > > Cheers, > -- > intrigeri > _______________________________________________ > Tails-dev mailing list > [email protected] > https://mailman.boum.org/listinfo/tails-dev > To unsubscribe from this list, send an empty email to > [email protected]. >
_______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
