Rich Kulawiec wrote:
What all of this means is that once a list passes N members, where we can debate about N, the probability that at least one of those members has already been compromised even before they've joined the list starts rapidly increasing.
I understand there are more insecure devices on the Internet all the time and that's unfortunate, but I don't think it's avoidable. What do you suggest we do about this using Mailman (since this is Mailman-developers)?
Perhaps this means I don't understand what the goals of combining a mailing list and public key cryptography are (could someone please state what those goals are?). I took the goals to be the following:
- make changes in messages easier to identify at the endpoints. So long as posters use strong cryptography methods and sign+encrypt their posts. Sure, a compromised device could change the message between the time someone writes their message and the time they sign+encrypt it, thus signing+encrypting an altered message. But we have that problem now and I don't see anyone calling for all research work to stop on any number of other things because of it. Also, for those without compromised devices who know what they're doing (a smaller set of people, as you point out) posts to mailing lists are likely easily changeable without most people being the wiser or having any ability to verify short of constantly asking others "Did you really post this?". Given how much en route data alteration is going on, it seems we ought to do something to at least let the user know the message they're looking at has a high likelihood of not being what was sent.
- provide a practical means of using extant services (along with most of the UI expectations and technical advantages we've come to expect) to convey encrypted data and store encrypted data such that the plaintext of a message is not often exposed to any program server-side.
- allow users to do some degree of identity confirmation. With what I've seen in this thread so far, poster identities are as verifiable as public key encryption and web of trust allow. If I see a post from someone I trust whom I know knows how to use, say, GPG correctly I then have increased confidence their post was signed by them. Currently, where lists are typically entirely plaintext, I understand it's quite easy for someone to post in someone else's name and email address and for any network operator (such as one's ISP) to alter the data en route.
But I could have the goals of this entire endeavor completely wrong, in which case I await correction.
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
