On 04/06/2013 06:53 PM, Paul Wise wrote:
On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote:
I am a undergrad student interested in OpenPGP integration in mailman as a GSOC project this summer.
neat, i'm glad to hear it!
I'm not sure about the scope of your project but you may want to review some prior efforts:
http://schleuder2.nadir.org/ http://www.synacklabs.net/projects/crypt-ml/
see also:
http://non-gnu.uvt.nl/mailman-pgp-smime/ http://sels.ncsa.illinois.edu/
My pet favourite feature from the lurker mail archiver is showing photos from OpenPGP keys in the archive pages.
:)
there are a lot of different ways that you might try to integrate message encryption, message signing, etc into a mailing list. There are also a lot of ways to make it easy for users and administrators to shoot themselves in the foot with this stuff; and even seasoned system administrators with years of crypto background can get wrong. :(
If i were you, Abhilash, i would start by trying to write up a concise statement about what specific enhancement you want to make from an end-user perspective, and what threat model your enhancement addresses.
here are three (very different) starting points as examples:
A) I want to make it so that only correctly-signed messages will be redistributed to the list.
B) I want to make it so that no one but the list subscribers will be able to be able to view the content of messages sent to the list.
C) I don't want the identities of anyone subscribed to the mailing list to be known to anyone but the other subscribers.
There are layers of nuance to resolve with each of those goals. i had a hard time keeping them that short because of all the exceptions and questions they raised in my head when i wrote them (Hint: i'm not convinced that either of them is actually well-defined enough to even be considered possible), but some form of either of them might be possible if you make them more precise.
Can you try defining what sort of feature you'd like to see implemented?
Also, key management is likely to be a large part of any project like this. Have you thought about how a keyring for a mailing list should be handled?
Regards,
--dkg