Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On 27 Apr 2013, at 14:40, Richard Wackerbarth r...@dataplex.net wrote: I don't think that we have the expertise to create a secure system. At best, we can adopt good practices and provide an obscured traffic stream. I consider anything more to be beyond the scope of the MM project. Also, what kind of secure list would have automated processing of message content as a requirement? If a message is gpg encrypted, then every sender would require the public keys of every recipient, would they not? Which means that a PKI for the list holders is required. Currently outside of Mailman's scope, but if it exists, then presumably senders would be required to cryptographically sign every message. All the list needs to do is verify the signature before redistributing. THAT is going to be the main body processing requirement. On Apr 27, 2013, at 8:22 AM, Stefan Schlott stefan.schl...@ulm.ccc.de wrote: On 27.04.2013 06:45, Stephen J. Turnbull wrote: 2. Your list has elevated security requirements. In this case, you can use gpg-agent to manage the secret key (and its passphrase). I don't understand what threat you propose to address in this way. It's true that you can prevent the attacker from getting access to the key (using agent forwarding or a token, it need not be on the exposed host at all), but we're assuming he has access to the host and the Mailman process. The gpg-agent approach protects you from all storage-related attacks: - unencrypted backups - physical access to the harddrive - etc. It does not protect from attackers who have access to the contents of the computer's RAM: - raw memory access and scanning for the secret key (requires root) - memory dump via DMA-enabled interfaces (firewire, pc-card, ...) - cold boot attacks Stefan ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/iane%40sussex.ac.uk Security Policy: http://wiki.list.org/x/QIA9 -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On 29.04.2013 11:40, Ian Eiloart wrote: Also, what kind of secure list would have automated processing of message content as a requirement? imho you're asking the wrong question ;-) _All_ network communication should be encrypted, it is a pity that mail encryption is so little adopted. If a message is gpg encrypted, then every sender would require the public keys of every recipient, would they not? No. The idea here that the recipient of a mail sent to a mailing list is the (trusted) mailman server, thus the only key needed is the mailing list public key. Mailman has access to its secret key, decrypts the incoming message and re-encrypts it for each recipient. Stefan. ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Ian Eiloart writes: Also, what kind of secure list would have automated processing of message content as a requirement? Precisely, a list that wants to avoid this requirement: If a message is gpg encrypted, then every sender would require the public keys of every recipient, would they not? The idea is that senders use the list's public key. The list holds those public keys, and uses them to re-encrypt the message on a recipient-by-recipient basis after decrypting with its own private key. The discussion has been about how to deal with attacks on (a) the list's private key (including offline attacks on the hard drive) and on (b) the temporarily decrypted text (which could end up in the clear for a long time in a queue file or if Mailman crashes). ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On 4/29/13 5:40 AM, Ian Eiloart wrote: Also, what kind of secure list would have automated processing of message content as a requirement? If a message is gpg encrypted, then every sender would require the public keys of every recipient, would they not? Which means that a PKI for the list holders is required. Currently outside of Mailman's scope, but if it exists, then presumably senders would be required to cryptographically sign every message. All the list needs to do is verify the signature before redistributing. THAT is going to be the main body processing requirement. That is one way, the other is you send the message encrypted to the list's public key, and the list decrypts the message and then reencrypts to each recipient's public key. (In many cases this doesn't actually require decrypting/reencrypting the whole message, just the session key block). The list could also check any signature, and sign messages with valid signatures with it's key. That way, subscribers don't need any other subscriber's public key. In fact, I think the list could even be set up anonymous so you might not even know who anyone else was, just that the list has validated that the message came from someone on the list. -- Richard Damon ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On 04/27/2013 12:45 PM, Stephen J. Turnbull wrote: Stefan Schlott writes: 2. Your list has elevated security requirements. In this case, you can use gpg-agent to manage the secret key (and its passphrase). I don't understand what threat you propose to address in this way. It's true that you can prevent the attacker from getting access to the key (using agent forwarding or a token, it need not be on the exposed host at all), but we're assuming he has access to the host and the Mailman process. If mailman is storing messages on-disk in an encrypted form, Stefan's proposal mitigates the threat of an adversary with offline access to the disk (e.g. in the event of server theft or seizure) -- no additional message content will be revealed if such an adversary scrapes the contents of the disk. --dkg signature.asc Description: OpenPGP digital signature ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Daniel Kahn Gillmor writes: If mailman is storing messages on-disk in an encrypted form, Stefan's proposal mitigates the threat of an adversary with offline access to the disk (e.g. in the event of server theft or seizure) OK, it does that. But in the event of that kind of threat, I think you also need to protect the logs and lists. I guess you can deal with the logs by the simple expedient of not keeping them. ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On 27.04.2013 06:45, Stephen J. Turnbull wrote: 2. Your list has elevated security requirements. In this case, you can use gpg-agent to manage the secret key (and its passphrase). I don't understand what threat you propose to address in this way. It's true that you can prevent the attacker from getting access to the key (using agent forwarding or a token, it need not be on the exposed host at all), but we're assuming he has access to the host and the Mailman process. The gpg-agent approach protects you from all storage-related attacks: - unencrypted backups - physical access to the harddrive - etc. It does not protect from attackers who have access to the contents of the computer's RAM: - raw memory access and scanning for the secret key (requires root) - memory dump via DMA-enabled interfaces (firewire, pc-card, ...) - cold boot attacks Stefan. ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
I don't think that we have the expertise to create a secure system. At best, we can adopt good practices and provide an obscured traffic stream. I consider anything more to be beyond the scope of the MM project. On Apr 27, 2013, at 8:22 AM, Stefan Schlott stefan.schl...@ulm.ccc.de wrote: On 27.04.2013 06:45, Stephen J. Turnbull wrote: 2. Your list has elevated security requirements. In this case, you can use gpg-agent to manage the secret key (and its passphrase). I don't understand what threat you propose to address in this way. It's true that you can prevent the attacker from getting access to the key (using agent forwarding or a token, it need not be on the exposed host at all), but we're assuming he has access to the host and the Mailman process. The gpg-agent approach protects you from all storage-related attacks: - unencrypted backups - physical access to the harddrive - etc. It does not protect from attackers who have access to the contents of the computer's RAM: - raw memory access and scanning for the secret key (requires root) - memory dump via DMA-enabled interfaces (firewire, pc-card, ...) - cold boot attacks Stefan ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25.04.2013 15:35, Daniel Kahn Gillmor wrote: abhilash might have meant that there is a concern that a decrypted message could be stored *on disk* in one of the queues, not just in memory. Of course, it's a good idea to decrypt the data as late as possible in order to avoid unnecessary mistakes. When does mailman store received messages on disk? I can think of the following: - - swapping. Either you request non-swappable memory from your OS (might be tricky in Python), or you encrypt your swap device with a new, randomly generated key on every startup. - - mailinglist archive. You simply shouldn't keep a (decrypted) archive on the server. - - disk queue. I don't remember if mailman persists received (but not yet sent) mails on disk. Addressing the last point, you can either choose to decrypt the mail in a later stage, or (if this is a bad idea for performance reasons) deal with this problem with an adequate system configuration, although this is tricky and certainly error-prone. But I think it could be done by excluding the queue from backup (unless, of course, the backup is encrypted, which you should do anyway) and having an encrypted file system. Stefan. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlF6boUACgkQ/fRK6HX9cHTzSACgm5bbYbTpmQ0PZAL9+VCwvcMR hR8An2dFewlP/w3TJejzST3Fp1f4xD+9 =in7V -END PGP SIGNATURE- ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On 25.04.2013 21:10, Abhilash Raj wrote: Abhilash, i don't see any mention in your proposal of how you plan to deal with the secret key material. will there be a way for mailman to use a secret key that is stored in a password-protected form? If so, how? Well I am not quite proficient in cryptography but I tried to answer how could it be done and have updated on the same link[1]. Here is a copy of only that part: One of the biggest issues of any cryptographic procedure is to secure and manage the keys. Firstly for the lists, when the list is created by the owner the keypair is generated by mailman in some time(because when i was trying to create one using gnupg, it asked me to wait for sometime and keep doing some work to get threshold entropy. Although in reality I don't have much idea about how the keys are created, but I am guessing that it somewhere uses the random bits from the memory of the host where key is created and thus required a threshold entropy for the proper randomization of the key. On virtualised Linux systems, this can often be achieved by installing the rng-tools package.) and is stored in the database against the name of the list. It will then be available for download to the May I suggest that mailman doesn't create the list key by itself, but ask the list maintainer to upload a public/private key pair (if no crypto hardware is used, see below)? On a virtualized system, getting real randomness is tricky. subscribers. [python-gnupg][2] also allows one to encrypt/decrypt using the keys that are protected by a paraphrase. Such paraphrase though would then be stored in cleartext format in database. Though this poses a security thread but even if you encrypt and store the paraphrase, you can only slow the process of decryption once the server is compromised since the private-paraphrase-encryption key will also be needed to be stored somewhere on the local disk. I would distinguish the following two scenarios: 1. The list is not-so-high-sec that you can risk storing the secret key without a password (which is the equivalent to storing the passphrase in the database). 2. Your list has elevated security requirements. In this case, you can use gpg-agent to manage the secret key (and its passphrase). This would require the sysadmin to start the gpg-agent and enter the list's passphrase before firing up mailman (or mailman could queue incoming mails until the secret key becomes available). This would open you the option to have the mailing list's secret key on a hardware token (e.g. the CryptoStick http://shop.kernelconcepts.de/product_info.php?cPath=1_26products_id=133). Stefan. ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Apr 26, 2013, at 02:09 PM, Stefan Schlott wrote: - disk queue. I don't remember if mailman persists received (but not yet sent) mails on disk. Addressing the last point, you can either choose to decrypt the mail in a later stage, or (if this is a bad idea for performance reasons) deal with this problem with an adequate system configuration, although this is tricky and certainly error-prone. But I think it could be done by excluding the queue from backup (unless, of course, the backup is encrypted, which you should do anyway) and having an encrypted file system. Yes, Mailman caches the messages and the metadata as it transfers the message from queue to queue. These two pieces of information are what make up the .pck (Python pickle) files in the queue directories, so for example, after the message has been moderated, it lives in a pck file until the modification runner picks it up for processing. One option, which might suck performance-wise, would be to decrypt the message multiple times. Thus the moderation queue runner would decrypt the message if it needs to make moderation decisions based on the encrypted payload (it may not need to though, since a lot can be discerned from the headers and other cleartext information). If it decides that the message is okay to post, it would not store the decrypted message in the queue, but instead the original message with the encrypted payload. The next queue runner would then also have to decrypt the message to do its processing. OTOH, maybe that's all security theater. If the Mailman system's private key is available to an attacker, then having the encrypted message on disk temporarily is probably not going to stop them from decrypting it. - -Barry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJRess/AAoJEBJutWOnSwa//rcQALx/p1Ba8a4CZWCzL2FGW+PZ 80mP+prL44VisScEJopqxx2vzCmzRNo8w0uH7UwKc2DQ4Bl8O+LdBoZs3UdZAB/9 dgSxIAMFsy78TnVngif3Ps5gESdQUAuLijkViHJGePcKNDXMYMV4hBzeqKZxCj+Q Y1NxyJLLeuLrt3HEvQy4TAmWFA/r4UGG5QM249orv2iOtXeHlGMD+IUi4pqyolY6 qzK6WirEh+ntGLvsXHuIBSxpidG9UvRe4XmLT7/fVAUO6X5EuTBdk9NgT9d+Pw+Z eslyngqPOf2MvV/wKLzZFytblGFog7pLOkOPbJ1UzI+KxIf8K4LMlEUG5mo2IGY+ 7vOZgsD9dxzJ2kX0uk1SFR4b23jWZhrYwHAC/k03x2l3FoMvdUqb5/9+nf6C+/4K ZyeB+exOD33TkKtTSx5iZ8HEO/1vCsENFESLeZ5M79cXQJKihyRMiAQfHXzQfR65 XZ0lCG4SB3c0QmhBSqWTxdNP01In0YcD0E5S+1JlP7HbCRhKTU0oHy45rMVSwKfC h1luVZe74Ecuy0foL2gcNObJG6GrXEsAUfYXL5TIy8vSff5VuNVyP4j0Xq7pmPxN XzEt0Vyyc3GTrHbBbnkX1gM4W3icxSHCt9mvCDZ8Civ46qR2pJjkTg6laPtHfLWB 02sufu7o47Z3xcGM4rbq =pajO -END PGP SIGNATURE- ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On 04/26/2013 12:45 PM, Barry Warsaw wrote: OTOH, maybe that's all security theater. If the Mailman system's private key is available to an attacker, then having the encrypted message on disk temporarily is probably not going to stop them from decrypting it. I've been wondering about that... is there any time when the encrypted message on disk would be available but the private key not? - snapshot backups of Mailman queues but not the key - corrupted filesystems - unusual permissions that allow access to the queues but not the key - mailman is only allowed to deal with encrypted messages when someone inserts the key which is stored on another physical device? It's probably best to keep things encrypted as much as possible just in case there is a threat model we're not thinking of, but unless we're doing more to protect the key, I'm not sure we're gaining much. Terri ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On 26.04.2013 20:55, Terri Oda wrote: I've been wondering about that... is there any time when the encrypted message on disk would be available but the private key not? As already pointed out, there are (at least) two ways to avoid an unprotected secret key (or the corresponding pass phrase, respectively) on disk: - Keep the passphrase only in RAM (e.g. entering it when starting mailman or by using gpg-agent) - Having the secret key on a smartcard Stefan. ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Stefan Schlott writes: 2. Your list has elevated security requirements. In this case, you can use gpg-agent to manage the secret key (and its passphrase). I don't understand what threat you propose to address in this way. It's true that you can prevent the attacker from getting access to the key (using agent forwarding or a token, it need not be on the exposed host at all), but we're assuming he has access to the host and the Mailman process. At a minimum you need some kind of privilege separation mechanism within Mailman. I'd recommend a postfix-style separate process which does all cryptographic work. But this might be a very large performance hit. ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Barry Warsaw writes: OTOH, maybe that's all security theater. If the Mailman system's private key is available to an attacker, then having the encrypted message on disk temporarily is probably not going to stop them from decrypting it. It's worse than that. The attacker doesn't need the key, he just needs to be able to suborn the Mailman process. There is a scenario where the attacker might want access to the key itself, and that's if he wants to use it somewhere else for some reason (ie, to spoof that Mailman server). But I think the primary scenario is that the attacker just wants access to list traffic, and for that the ability to install a rule or handler is sufficient in the current architecture. I think we should assume that the Mailman host is secure[1], and worry about how Mailman itself provides an attack surface. Footnotes: [1] I know that that assumption is incorrect. Nevertheless, I don't see what Mailman can do about it without a complete redesign starting from the assumption of encrypted messages whose plain text must be exposed as briefly as possible. ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On 25.04.2013 00:14, Abhilash Raj wrote: 1) When a message is decrypted and then passed on between the queues, it creates a security threat for the cleartext message is being held in memory, even for a small time in between the runners. The Mailman server holds the key to decrypt _every_ incoming message. So if the server is compromised, a message temporarily held in memory is the least of your problems :-) Stefan. ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On 04/25/2013 04:36 PM, Stefan Schlott wrote: On 25.04.2013 00:14, Abhilash Raj wrote: 1) When a message is decrypted and then passed on between the queues, it creates a security threat for the cleartext message is being held in memory, even for a small time in between the runners. The Mailman server holds the key to decrypt _every_ incoming message. So if the server is compromised, a message temporarily held in memory is the least of your problems :-) abhilash might have meant that there is a concern that a decrypted message could be stored *on disk* in one of the queues, not just in memory. This could be a problem if an adversary gets access to the disk and can get access to the backing storage, even after the files have been unlinked from the filesystem (since unlinking files doesn't guarantee removal of all traces from the backing storage). Of course, if the secret key for the list is kept without a passphrase on the same filesystem or on a separate filesystem on the same backing storage, then your risk is elevated to begin with. Abhilash, i don't see any mention in your proposal of how you plan to deal with the secret key material. will there be a way for mailman to use a secret key that is stored in a password-protected form? If so, how? --dkg signature.asc Description: OpenPGP digital signature ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On Thu, Apr 25, 2013 at 7:05 PM, Daniel Kahn Gillmor d...@fifthhorseman.netwrote: On 04/25/2013 04:36 PM, Stefan Schlott wrote: On 25.04.2013 00:14, Abhilash Raj wrote: 1) When a message is decrypted and then passed on between the queues, it creates a security threat for the cleartext message is being held in memory, even for a small time in between the runners. The Mailman server holds the key to decrypt _every_ incoming message. So if the server is compromised, a message temporarily held in memory is the least of your problems :-) abhilash might have meant that there is a concern that a decrypted message could be stored *on disk* in one of the queues, not just in memory. This could be a problem if an adversary gets access to the disk and can get access to the backing storage, even after the files have been unlinked from the filesystem (since unlinking files doesn't guarantee removal of all traces from the backing storage). Of course, if the secret key for the list is kept without a passphrase on the same filesystem or on a separate filesystem on the same backing storage, then your risk is elevated to begin with. Abhilash, i don't see any mention in your proposal of how you plan to deal with the secret key material. will there be a way for mailman to use a secret key that is stored in a password-protected form? If so, how? Well I am not quite proficient in cryptography but I tried to answer how could it be done and have updated on the same link[1]. Here is a copy of only that part: One of the biggest issues of any cryptographic procedure is to secure and manage the keys. Firstly for the lists, when the list is created by the owner the keypair is generated by mailman in some time(because when i was trying to create one using gnupg, it asked me to wait for sometime and keep doing some work to get threshold entropy. Although in reality I don't have much idea about how the keys are created, but I am guessing that it somewhere uses the random bits from the memory of the host where key is created and thus required a threshold entropy for the proper randomization of the key. On virtualised Linux systems, this can often be achieved by installing the rng-tools package.) and is stored in the database against the name of the list. It will then be available for download to the subscribers. [python-gnupg][2] also allows one to encrypt/decrypt using the keys that are protected by a paraphrase. Such paraphrase though would then be stored in cleartext format in database. Though this poses a security thread but even if you encrypt and store the paraphrase, you can only slow the process of decryption once the server is compromised since the private-paraphrase-encryption key will also be needed to be stored somewhere on the local disk. The pub-keys added by the users will be stored in different table(having many to one relationship with users) and will be used whenever there is a need to encrypt or verify_signature. [1]: https://gist.github.com/maxking/5455462#key-management --dkg ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/raj.abhilash1%40gmail.com Security Policy: http://wiki.list.org/x/QIA9 -- Abhilash Raj ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On Apr 22, 2013, at 06:24 AM, Richard Wackerbarth wrote: I echo Stephen's comments. Although I try to lurk on the #mailman channel most of the time, being half a world away from him, I am most likely to be at the keyboard after 1100 UTC and before 0200 UTC. We chatted on #mailman a few days ago, and hopefully it was helpful. In general I'm always on #mailman during working hours UTC-4 (currently), but you will have to ping my nick to get my attention. See the channel topic for details. -Barry ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Hi all, I made a small list[1] of deliverable for this project and required changes in mailman for it. Can you all please review it and comment on how can it be improved. Also there are two points that I am not able to think on, 1) When a message is decrypted and then passed on between the queues, it creates a security threat for the cleartext message is being held in memory, even for a small time in between the runners. 2) Which one is the best standard to be implemented for encryption/signing of the email? [1]: https://gist.github.com/maxking/5455462 Thanks On Mon, Apr 22, 2013 at 5:09 PM, Richard Wackerbarth r...@dataplex.netwrote: Although there might be a place for the use of OpenPGP for identification of users to the WebUI, such a project would not, in itself, be sufficiently complex for a GSoC project. If you are interested in such an effort, it would need to be combined with other (preferably related) aspects of authentication such as identification of submitted email messages. On Apr 22, 2013, at 6:29 AM, Paul Wise p...@debian.org wrote: On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote: I am a undergrad student interested in OpenPGP integration in mailman as a GSOC project this summer. Here is a semi-related idea; use OpenPGP instead of passwords for authentication to the web interface, possibly using monkeysphere: http://web.monkeysphere.info/ -- bye, pabs http://wiki.debian.org/PaulWise ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/rkw%40dataplex.net Security Policy: http://wiki.list.org/x/QIA9 ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/raj.abhilash1%40gmail.com Security Policy: http://wiki.list.org/x/QIA9 -- Abhilash Raj ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Abhilash Raj writes: I made a small list[1] [1]: https://gist.github.com/maxking/5455462 I strongly recommend that you put this in your proposal on Melange. The mentors will all see it on the mentors' list that way, and you won't get caught short at deadline when Melange crashes.[1] If you want to keep a public copy of your proposal, that's very cool (and if you're accepted, you *must* keep a blog as well as publicly commit your code so you may as well start now IMO). (Speaking for myself) I don't have a problem with you posting it here, especially if you post only excerpts of new and changed content from your proposal (even though that would duplicate the Melange mail for us mentors). However, you might want to see what Barry (as The Big Boss) and the mentors say about posting your proposal, especially more than once a day; others might be more sensitive to an increased amount of mail. Footnotes: [1] Based on past experience, that's *when* Melange crashes, not if Melange crashes. :-/ ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Hi all, Can you tell about who is going to mentor this(OpenPGP integration with mailman) so that I can discuss a few things about the application? Also others can you please give me a few suggestion about proposal on the idea that is discussed in this[1] thread. [1]: http://mail.python.org/pipermail/mailman-developers/2013-April/022675.html Thanks, On Wed, Apr 10, 2013 at 3:09 PM, Joost van Baal-Ilić joostvb-mailman-develop...@mdcc.cx wrote: Hi Abhilash Raj, Abhilash Raj raj.abhilash1 at gmail.com schreef: On Sun, Apr 7, 2013 at 4:47 AM, Daniel Kahn Gillmor dkg at fifthhorseman.netwrote: On 04/06/2013 06:53 PM, Paul Wise wrote: On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote: I am a undergrad student interested in OpenPGP integration in mailman as a GSOC project this summer. neat, i'm glad to hear it! Be aware however: it's not an easy task, as Daniel Kahn Gillmor pointed out. I'm not sure about the scope of your project but you may want to review some prior efforts: http://schleuder2.nadir.org/ http://www.synacklabs.net/projects/crypt-ml/ see also: http://non-gnu.uvt.nl/mailman-pgp-smime/ http://sels.ncsa.illinois.edu/ My pet favourite feature from the lurker mail archiver is showing photos from OpenPGP keys in the archive pages. Thanks for these links. I am currently going through these projects to figure out the implementation part of the OpenPGP into mailman. Also trying to use the mailman-php-smime patch to figure out how it is implemented. The Mailman Secure List Server Patch hasn't been touched since 2010-09. It's a patch for mailman-2.1.15, not for the development branch. However, studying it will surely give you some inspiration. Some code might be reusable too. If you'd like to discuss details of this patch, you're invited to join the list at ssls-...@ulm.ccc.de. I'd be glad to help you dealing with the work. Bye, Joost -- http://mdcc.cx/ xhttp://ad1810.com/ -- Abhilash Raj ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Abhilash Raj writes: Can you tell about who is going to mentor this(OpenPGP integration with mailman) I would guess the official mentors are likely to be myself and Wacky (Richard Wackerbarth). Joost isn't official (why not? -- you get a T-shirt! :-) but he has expressed interest and offered help. Lack of a secure through-the-mail channel for several aspects of Mailman is a pain point for many users, though, so I suspect there will be a lot of interest (including suggestions and even code contributions) from non-mentors. I strongly suggest that you keep the discussion on this list for that reason. I will also try to be available on IRC Freenode #mailman as yaseppochi for the next two days (more or less 1am to 1pm UTC), and intermittently after that. Other mentors will probably be there, too. so that I can discuss a few things about the application? Also others can you please give me a few suggestion about proposal on the idea that is discussed in this[1] thread. [1]: http://mail.python.org/pipermail/mailman-developers/2013-April/022675.html Thanks, On Wed, Apr 10, 2013 at 3:09 PM, Joost van Baal-Ilić joostvb-mailman-develop...@mdcc.cx wrote: Hi Abhilash Raj, Abhilash Raj raj.abhilash1 at gmail.com schreef: On Sun, Apr 7, 2013 at 4:47 AM, Daniel Kahn Gillmor dkg at fifthhorseman.netwrote: On 04/06/2013 06:53 PM, Paul Wise wrote: On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote: I am a undergrad student interested in OpenPGP integration in mailman as a GSOC project this summer. neat, i'm glad to hear it! Be aware however: it's not an easy task, as Daniel Kahn Gillmor pointed out. I'm not sure about the scope of your project but you may want to review some prior efforts: http://schleuder2.nadir.org/ http://www.synacklabs.net/projects/crypt-ml/ see also: http://non-gnu.uvt.nl/mailman-pgp-smime/ http://sels.ncsa.illinois.edu/ My pet favourite feature from the lurker mail archiver is showing photos from OpenPGP keys in the archive pages. Thanks for these links. I am currently going through these projects to figure out the implementation part of the OpenPGP into mailman. Also trying to use the mailman-php-smime patch to figure out how it is implemented. The Mailman Secure List Server Patch hasn't been touched since 2010-09. It's a patch for mailman-2.1.15, not for the development branch. However, studying it will surely give you some inspiration. Some code might be reusable too. If you'd like to discuss details of this patch, you're invited to join the list at ssls-...@ulm.ccc.de. I'd be glad to help you dealing with the work. Bye, Joost -- http://mdcc.cx/ xhttp://ad1810.com/ -- Abhilash Raj ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/stephen%40xemacs.org Security Policy: http://wiki.list.org/x/QIA9 ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
I echo Stephen's comments. Although I try to lurk on the #mailman channel most of the time, being half a world away from him, I am most likely to be at the keyboard after 1100 UTC and before 0200 UTC. However, I strongly suggest that you begin more specific questions on this mailing list. Richard Wacky Wackerbarth On Apr 22, 2013, at 3:33 AM, Stephen J. Turnbull step...@xemacs.org wrote: Abhilash Raj writes: Can you tell about who is going to mentor this(OpenPGP integration with mailman) I would guess the official mentors are likely to be myself and Wacky (Richard Wackerbarth). Joost isn't official (why not? -- you get a T-shirt! :-) but he has expressed interest and offered help. Lack of a secure through-the-mail channel for several aspects of Mailman is a pain point for many users, though, so I suspect there will be a lot of interest (including suggestions and even code contributions) from non-mentors. I strongly suggest that you keep the discussion on this list for that reason. I will also try to be available on IRC Freenode #mailman as yaseppochi for the next two days (more or less 1am to 1pm UTC), and intermittently after that. Other mentors will probably be there, too. so that I can discuss a few things about the application? Also others can you please give me a few suggestion about proposal on the idea that is discussed in this[1] thread. [1]: http://mail.python.org/pipermail/mailman-developers/2013-April/022675.html Thanks, On Wed, Apr 10, 2013 at 3:09 PM, Joost van Baal-Ilić joostvb-mailman-develop...@mdcc.cx wrote: Hi Abhilash Raj, Abhilash Raj raj.abhilash1 at gmail.com schreef: On Sun, Apr 7, 2013 at 4:47 AM, Daniel Kahn Gillmor dkg at fifthhorseman.netwrote: On 04/06/2013 06:53 PM, Paul Wise wrote: On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote: I am a undergrad student interested in OpenPGP integration in mailman as a GSOC project this summer. neat, i'm glad to hear it! Be aware however: it's not an easy task, as Daniel Kahn Gillmor pointed out. I'm not sure about the scope of your project but you may want to review some prior efforts: http://schleuder2.nadir.org/ http://www.synacklabs.net/projects/crypt-ml/ see also: http://non-gnu.uvt.nl/mailman-pgp-smime/ http://sels.ncsa.illinois.edu/ My pet favourite feature from the lurker mail archiver is showing photos from OpenPGP keys in the archive pages. Thanks for these links. I am currently going through these projects to figure out the implementation part of the OpenPGP into mailman. Also trying to use the mailman-php-smime patch to figure out how it is implemented. The Mailman Secure List Server Patch hasn't been touched since 2010-09. It's a patch for mailman-2.1.15, not for the development branch. However, studying it will surely give you some inspiration. Some code might be reusable too. If you'd like to discuss details of this patch, you're invited to join the list at ssls-...@ulm.ccc.de. I'd be glad to help you dealing with the work. Bye, Joost -- http://mdcc.cx/ xhttp://ad1810.com/ -- Abhilash Raj ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/stephen%40xemacs.org Security Policy: http://wiki.list.org/x/QIA9 ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/rkw%40dataplex.net Security Policy: http://wiki.list.org/x/QIA9 ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote: I am a undergrad student interested in OpenPGP integration in mailman as a GSOC project this summer. Here is a semi-related idea; use OpenPGP instead of passwords for authentication to the web interface, possibly using monkeysphere: http://web.monkeysphere.info/ -- bye, pabs http://wiki.debian.org/PaulWise ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Although there might be a place for the use of OpenPGP for identification of users to the WebUI, such a project would not, in itself, be sufficiently complex for a GSoC project. If you are interested in such an effort, it would need to be combined with other (preferably related) aspects of authentication such as identification of submitted email messages. On Apr 22, 2013, at 6:29 AM, Paul Wise p...@debian.org wrote: On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote: I am a undergrad student interested in OpenPGP integration in mailman as a GSOC project this summer. Here is a semi-related idea; use OpenPGP instead of passwords for authentication to the web interface, possibly using monkeysphere: http://web.monkeysphere.info/ -- bye, pabs http://wiki.debian.org/PaulWise ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/rkw%40dataplex.net Security Policy: http://wiki.list.org/x/QIA9 ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Hi Abhilash Raj, Abhilash Raj raj.abhilash1 at gmail.com schreef: On Sun, Apr 7, 2013 at 4:47 AM, Daniel Kahn Gillmor dkg at fifthhorseman.netwrote: On 04/06/2013 06:53 PM, Paul Wise wrote: On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote: I am a undergrad student interested in OpenPGP integration in mailman as a GSOC project this summer. neat, i'm glad to hear it! Be aware however: it's not an easy task, as Daniel Kahn Gillmor pointed out. I'm not sure about the scope of your project but you may want to review some prior efforts: http://schleuder2.nadir.org/ http://www.synacklabs.net/projects/crypt-ml/ see also: http://non-gnu.uvt.nl/mailman-pgp-smime/ http://sels.ncsa.illinois.edu/ My pet favourite feature from the lurker mail archiver is showing photos from OpenPGP keys in the archive pages. Thanks for these links. I am currently going through these projects to figure out the implementation part of the OpenPGP into mailman. Also trying to use the mailman-php-smime patch to figure out how it is implemented. The Mailman Secure List Server Patch hasn't been touched since 2010-09. It's a patch for mailman-2.1.15, not for the development branch. However, studying it will surely give you some inspiration. Some code might be reusable too. If you'd like to discuss details of this patch, you're invited to join the list at ssls-...@ulm.ccc.de. I'd be glad to help you dealing with the work. Bye, Joost -- http://mdcc.cx/ xhttp://ad1810.com/ ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On Sun, Apr 7, 2013 at 7:46 PM, Stephen J. Turnbull step...@xemacs.orgwrote: Abhilash Raj writes: Well what i want to make it is that whenever a user sends a mail to the list it should be singed with his private key so that it can be verified against his public that he uploads if he wants permissions to post in the list. You mean that the user should sign it himself (or with the help of his mail client), is that correct? Yes, the user should sign it himself. I am not sure about how it would be done though. As the message is received by mailman its signature is verified and then its encrypted and sent to each person, wherein those who haven't uploaded their key will also receive an unencrypted copy(with a probability that it may not be intended for them or not authentic mail). I don't understand the use case for having both encrypted and unencrypted copies distributed. Is the encryption intended to be merely authentication? But what Mailman has is by definition the subscriber's public key; anybody might have that. It *could* be kept secret, but I think that's not so easy to prove. I would have imagined that maybe Mailman would resign using its own private key, to authenticate the list, and testify that it had authenticated the sender. I also don't understand what you mean by not authentic mail. The original signature proves it authentic. The subscribers may not have the appropriate to key to verify, but in that case I don't see why they would want to delegate it to Mailman. I think you have a difficult task in merely specifying what you want this system to do. That's likely to be a couple orders of magnitude harder than the implementation! Yes, this was on the top of my mind while trying to attempt this project. I learned about key-servers. I think we could setup one wherein all the public key would be stored that are uploaded by users and retrieved when needed. But who watches the watcher? That is, what does the keyserver need to know about the key's owner, and how does the candidate subscriber prove it to the keyserver? I think there are lots of use cases for integrating mailing list managers into the public key infrastructure, but you need to be careful to specify them. I think you probably should start with simple use cases, like proving subscriber identity to the mailing list manager, eg for anti-spam purposes.[1] I gave a thought and yes some parts of it doesn't actually makes sense. Instead for proving a subscribers identity to a list manager we could add add a setting to accept messages only from registered signatures. Each subscriber add his public key when he subscribes to the list( or when settings are changed to accept mails with only registered signature). This could also help in spam reduction as only mails with registered users(with registered keys) would be distributed among the list subscribers. Can you please point me in some direction to learn about the various possible ways to sign a mail and/or encrypt it. Also i think adding the key as a new column against the email in the list of subscriber would do the work. I haven't worked with postorius but i have experience with django so i think some ui can also be added in postorius to manage this although this is just and idea which i think i can expand in a few days as I am working on postorius. Footnotes: [1] Even that is not a sure winner, since most users will not know how to do this for themselves. So it will have to be integrated into clients, which themselves might be infected by a virus. -- Abhilash Raj ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Abhilash Raj writes: Can you please point me in some direction to learn about the various possible ways to sign a mail and/or encrypt it. Basically that's going to be MUA-dependent. There are standards for this (prominently S/MIME aka RFC 5751), but whether MUAs implement it is MUA-specific. Also, S/MIME is not the same as using OpenPGP (I guess that OpenPGP can be used to implement it, but I doubt that most systems using OpenPGP actually conform to S/MIME). I suspect that many webmail programs and Windows MUAs do not support OpenPGP (webmail programs generally don't support any form of secure mail AFAIK). Other important RFCs include PKCS (RFC 2315) and Security Multiparts for MIME (RFC 1847). (Do check those references before implementing them: I haven't followed this field that closely for several years, and several of them are probably superseded by now.) Also i think adding the key as a new column against the email in the list of subscriber would do the work. I still think you're getting ahead of yourself. What work are you talking about? Just getting keys stored in the subscriber database isn't much help if we haven't decided how we are going to use them. ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Thanks all for replying. On Sun, Apr 7, 2013 at 4:47 AM, Daniel Kahn Gillmor d...@fifthhorseman.netwrote: On 04/06/2013 06:53 PM, Paul Wise wrote: On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote: I am a undergrad student interested in OpenPGP integration in mailman as a GSOC project this summer. neat, i'm glad to hear it! I'm not sure about the scope of your project but you may want to review some prior efforts: http://schleuder2.nadir.org/ http://www.synacklabs.net/projects/crypt-ml/ see also: http://non-gnu.uvt.nl/mailman-pgp-smime/ http://sels.ncsa.illinois.edu/ My pet favourite feature from the lurker mail archiver is showing photos from OpenPGP keys in the archive pages. Thanks for these links. I am currently going through these projects to figure out the implementation part of the OpenPGP into mailman. Also trying to use the mailman-php-smime patch to figure out how it is implemented. :) there are a lot of different ways that you might try to integrate message encryption, message signing, etc into a mailing list. There are also a lot of ways to make it easy for users and administrators to shoot themselves in the foot with this stuff; and even seasoned system administrators with years of crypto background can get wrong. :( If i were you, Abhilash, i would start by trying to write up a concise statement about what specific enhancement you want to make from an end-user perspective, and what threat model your enhancement addresses. here are three (very different) starting points as examples: A) I want to make it so that only correctly-signed messages will be redistributed to the list. B) I want to make it so that no one but the list subscribers will be able to be able to view the content of messages sent to the list. C) I don't want the identities of anyone subscribed to the mailing list to be known to anyone but the other subscribers. There are layers of nuance to resolve with each of those goals. i had a hard time keeping them that short because of all the exceptions and questions they raised in my head when i wrote them (Hint: i'm not convinced that either of them is actually well-defined enough to even be considered possible), but some form of either of them might be possible if you make them more precise. Can you try defining what sort of feature you'd like to see implemented? Well what i want to make it is that whenever a user sends a mail to the list it should be singed with his private key so that it can be verified against his public that he uploads if he wants permissions to post in the list. As the message is received by mailman its signature is verified and then its encrypted and sent to each person, wherein those who haven't uploaded their key will also receive an unencrypted copy(with a probability that it may not be intended for them or not authentic mail). I also agree that I am new to cryptography so I cannot comment/assure about the implementation of this idea. But with your help I think I think I would be able to implement the best possible version of this idea. Also, key management is likely to be a large part of any project like this. Have you thought about how a keyring for a mailing list should be handled? Yes, this was on the top of my mind while trying to attempt this project. I learned about key-servers. I think we could setup one wherein all the public key would be stored that are uploaded by users and retrieved when needed. Regards, --dkg ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/raj.abhilash1%40gmail.com Security Policy: http://wiki.list.org/x/QIA9 Thanks! -- Abhilash Raj ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
Abhilash Raj writes: Well what i want to make it is that whenever a user sends a mail to the list it should be singed with his private key so that it can be verified against his public that he uploads if he wants permissions to post in the list. You mean that the user should sign it himself (or with the help of his mail client), is that correct? As the message is received by mailman its signature is verified and then its encrypted and sent to each person, wherein those who haven't uploaded their key will also receive an unencrypted copy(with a probability that it may not be intended for them or not authentic mail). I don't understand the use case for having both encrypted and unencrypted copies distributed. Is the encryption intended to be merely authentication? But what Mailman has is by definition the subscriber's public key; anybody might have that. It *could* be kept secret, but I think that's not so easy to prove. I would have imagined that maybe Mailman would resign using its own private key, to authenticate the list, and testify that it had authenticated the sender. I also don't understand what you mean by not authentic mail. The original signature proves it authentic. The subscribers may not have the appropriate to key to verify, but in that case I don't see why they would want to delegate it to Mailman. I think you have a difficult task in merely specifying what you want this system to do. That's likely to be a couple orders of magnitude harder than the implementation! Yes, this was on the top of my mind while trying to attempt this project. I learned about key-servers. I think we could setup one wherein all the public key would be stored that are uploaded by users and retrieved when needed. But who watches the watcher? That is, what does the keyserver need to know about the key's owner, and how does the candidate subscriber prove it to the keyserver? I think there are lots of use cases for integrating mailing list managers into the public key infrastructure, but you need to be careful to specify them. I think you probably should start with simple use cases, like proving subscriber identity to the mailing list manager, eg for anti-spam purposes.[1] Footnotes: [1] Even that is not a sure winner, since most users will not know how to do this for themselves. So it will have to be integrated into clients, which themselves might be infected by a virus. ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote: I am a undergrad student interested in OpenPGP integration in mailman as a GSOC project this summer. Cool! I'm not sure about the scope of your project but you may want to review some prior efforts: http://schleuder2.nadir.org/ http://www.synacklabs.net/projects/crypt-ml/ My pet favourite feature from the lurker mail archiver is showing photos from OpenPGP keys in the archive pages. -- bye, pabs http://bonedaddy.net/pabs3/ ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration
On 04/06/2013 06:53 PM, Paul Wise wrote: On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote: I am a undergrad student interested in OpenPGP integration in mailman as a GSOC project this summer. neat, i'm glad to hear it! I'm not sure about the scope of your project but you may want to review some prior efforts: http://schleuder2.nadir.org/ http://www.synacklabs.net/projects/crypt-ml/ see also: http://non-gnu.uvt.nl/mailman-pgp-smime/ http://sels.ncsa.illinois.edu/ My pet favourite feature from the lurker mail archiver is showing photos from OpenPGP keys in the archive pages. :) there are a lot of different ways that you might try to integrate message encryption, message signing, etc into a mailing list. There are also a lot of ways to make it easy for users and administrators to shoot themselves in the foot with this stuff; and even seasoned system administrators with years of crypto background can get wrong. :( If i were you, Abhilash, i would start by trying to write up a concise statement about what specific enhancement you want to make from an end-user perspective, and what threat model your enhancement addresses. here are three (very different) starting points as examples: A) I want to make it so that only correctly-signed messages will be redistributed to the list. B) I want to make it so that no one but the list subscribers will be able to be able to view the content of messages sent to the list. C) I don't want the identities of anyone subscribed to the mailing list to be known to anyone but the other subscribers. There are layers of nuance to resolve with each of those goals. i had a hard time keeping them that short because of all the exceptions and questions they raised in my head when i wrote them (Hint: i'm not convinced that either of them is actually well-defined enough to even be considered possible), but some form of either of them might be possible if you make them more precise. Can you try defining what sort of feature you'd like to see implemented? Also, key management is likely to be a large part of any project like this. Have you thought about how a keyring for a mailing list should be handled? Regards, --dkg signature.asc Description: OpenPGP digital signature ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
