On 04/27/2013 01:36 PM, Stephen J. Turnbull wrote:
without a complete redesign starting from the assumption of encrypted messages whose plain text must be exposed as briefly as possible.
At least one project suggests that it may be possible to operate an encrypted mailing list such that the automated remailing daemon does not have any access to the cleartext body of the messages, and the mailing list members don't need to do any key management of other members of the list. SELS does this through some interesting cryptographic techniques, and was actually built on top of unmodified mailman, afaict:
http://sels.ncsa.illinois.edu/
If you're interested in looking for ways that mailman could provide list members with message content protection even in the face of an exploitable bug in mailman itself, this might be an interesting approach to consider (e.g. perhaps SELS could be revived and integrated directly).
for the record: I have never run an SELS server, and have never read the code. I just think it's an interesting idea.
just a thought,
--dkg