On 04/25/2013 04:36 PM, Stefan Schlott wrote:
On 25.04.2013 00:14, Abhilash Raj wrote:
- When a message is decrypted and then passed on between the queues, it creates a security threat for the cleartext message is being held in memory, even for a small time in between the runners.
The Mailman server holds the key to decrypt _every_ incoming message. So if the server is compromised, a message temporarily held in memory is the least of your problems :-)
abhilash might have meant that there is a concern that a decrypted message could be stored *on disk* in one of the queues, not just in memory. This could be a problem if an adversary gets access to the disk and can get access to the backing storage, even after the files have been unlinked from the filesystem (since unlinking files doesn't guarantee removal of all traces from the backing storage).
Of course, if the secret key for the list is kept without a passphrase on the same filesystem or on a separate filesystem on the same backing storage, then your risk is elevated to begin with.
Abhilash, i don't see any mention in your proposal of how you plan to deal with the secret key material. will there be a way for mailman to use a secret key that is stored in a password-protected form? If so, how?
--dkg