On Nov 18, 2016, at 04:26 PM, Dominik wrote:
I'd like to see PGP support for MM3 but I thought it might be a little to early to file an issue.
I think full PGP support as many people want will be a multi-issue, multi-branch effort. For example, I can imagine a branch that enables list-specific key management so that you can encrypt a message to a mailing list. Then users/addresses would each also have key management. Those touch the database layer. There will probably be branches that touch the REST API, and handler/rules, etc. Then there are likely changes to Postorius, possibly HyperKitty, etc.
Encrypted mailing for groups of people is still a mess in 2016:
- Either the group is relatively static or you never encrypt the mail for all people.
- All members need to know each other. And you need the keys of all the other members.
So far for the motivation. Below there are some initial thoughts:
**Treat mail differently based on their signing status:**
- Whether it has a signature or not.
- Whether the signature is valid or not.
- Whether the signing key matches the key of the list member.
**Treat mail differently based on their encryption status**
Whether it is encrypted or not.
You could certainly do these things. Once the basic key management infrastructure is in place, you could fairly easily add various rules and handlers to effect some of these features. E.g. a rule could say "if this message does not have a valid signature, discard it". That could be useful even without full encryption. For outgoing encryption, you'd need a pre-MTA handler if you wanted to do personalization, e.g. encrypt the message to each user's registered key.
**Other opportunities**
- A public key per list.
- Signing of outgoing mails with that list key.
- Encryption of outgoing mails with that list key.
#2 and #3 could be done with list-wide handlers, since they aren't personalized.
- Send a mail with the lists public key on request.
Fairly easy to add a command to do this.
Which one of these points a worth an implementation?
All? None? Some? :)
It really kind of depends on what people want. At a minimum, I would really like the option of running a mailing list which requires valid signatures for posting, to avoid blindly trusting the sender headers. That still requires user-based key management, so perhaps that's a good place to start.
Cheers, -Barry