Re: [Mailman-Developers] PGP and Mailman

Wed, 02 Mar 2005 04:01:47 -0800 

On Wed, 2005-03-02 at 12:37 +0100, Brad Knowles wrote:
> At 8:31 AM +0100 2005-03-02, Stefan Schlott wrote:
> >                                                Further, this will reveal
> >  all recipients' key ids - something not wanted in anonymous lists.
> 
>       True.  A session key would be encrypted to each key id, so the 
> key ids would be visible.  However, subscriber information is not too 
> hard to get from Mailman even when it's supposedly limited to being 
> available only to the admin, so I think there may be bigger fish to 
> fry elsewhere.
> 
> >  Imho the tradeoff lies somewhere inbetween - encrypt messages to n
> >  recipients (yet to be implemented).
> 
>       The problem is that encrypting a message is a very CPU-intensive 
> process, and you don't want to figure off thousands and thousands of 
> message encryption processes for every single submission -- you'd DoS 
> yourself to death.  You'd have to make n pretty large in order to be 
> able to make this scalable.

In theory, you could encrypt the message once with a session key, and
then distribute it n times, each time adding the packet which has the
session key encrypted with the public key of the recipient.  This should
cost you very little more in encryption CPU requirements than a message
encrypted to n recipients in the normal fashion.  The rest of the
additional required overhead is basically the same as turning
personalisation on for a list.

Not sure how amenable GPG is to doing this sort of hacking, but it
sounds plausible to me (obviously too few coffees this morning).

        Nigel.
-- 
[ Nigel Metheringham           [EMAIL PROTECTED] ]
[ - Comments in this message are my own and not ITO opinion/policy - ]


_______________________________________________
Mailman-Developers mailing list
Mailman-Developers@python.org
http://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Reply via email to