On 04/25/2013 04:36 PM, Stefan Schlott wrote: > On 25.04.2013 00:14, Abhilash Raj wrote: > >> 1) When a message is decrypted and then passed on between the queues, it >> creates a security threat for the cleartext message is being held in >> memory, even for a small time in between the runners. > > The Mailman server holds the key to decrypt _every_ incoming message. So > if the server is compromised, a message temporarily held in memory is > the least of your problems :-)
abhilash might have meant that there is a concern that a decrypted
message could be stored *on disk* in one of the queues, not just in
memory. This could be a problem if an adversary gets access to the disk
and can get access to the backing storage, even after the files have
been unlinked from the filesystem (since unlinking files doesn't
guarantee removal of all traces from the backing storage).
Of course, if the secret key for the list is kept without a passphrase
on the same filesystem or on a separate filesystem on the same backing
storage, then your risk is elevated to begin with.
Abhilash, i don't see any mention in your proposal of how you plan to
deal with the secret key material. will there be a way for mailman to
use a secret key that is stored in a password-protected form? If so, how?
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
