26 Apr
2013
26 Apr
'13
6:55 p.m.
On 04/26/2013 12:45 PM, Barry Warsaw wrote:
OTOH, maybe that's all security theater. If the Mailman system's private key is available to an attacker, then having the encrypted message on disk temporarily is probably not going to stop them from decrypting it.
I've been wondering about that... is there any time when the encrypted message on disk would be available but the private key not?
- snapshot backups of Mailman queues but not the key
- corrupted filesystems
- unusual permissions that allow access to the queues but not the key
- mailman is only allowed to deal with encrypted messages when someone inserts the key which is stored on another physical device?
It's probably best to keep things encrypted as much as possible just in case there is a threat model we're not thinking of, but unless we're doing more to protect the key, I'm not sure we're gaining much.
Terri