Mailman and GPG.
Greetings!
I am wondering if anyone has begun an implementation of Gnu Provacy Guard email handling in Mailman, that would work along these lines:
- mailman has its own keypair, and a keyring
of the public keys of all mailing list subscribers.
- A poster to a list will use GPG to encript his posting
using mailman's public key, and then mailman sends out individually encripted messages or digests to each subscriber.
Something like this existed (PGPdomo), but it vanished, and putting this functionality back in Majordomo is a Lovecraftian task.
I may be itnerested in doing this as an exercise to learn Python. Has anyone done something like this? Also, is there a Python interface to GPG?
Regards,
On Sun, Nov 05, 2000 at 05:55:37PM -0500, The guy named after an Om Kalthoum song wrote:
[ Mailman using GPG to decrypt and re-crypt messages ]
I may be itnerested in doing this as an exercise to learn Python. Has anyone done something like this?
I don't think so. It's the first I heard about it, in any case. Note that "it isn't that simple" ;) You have to think about Archives. Do you want to enable them over SSL only ? SSL with client certificates ? Do you just want to disable them ? What about news gatewaying ? Just disable it for 'secure' groups, or just sign the postings ?
Also, is there a Python interface to GPG?
I think I saw something like it, but I can't fid it now. A quick google search shows some hits on 'python' in the gnupg-devel list, so maybe there is the right place to look ?
On Sun, Nov 05, 2000 at 05:55:37PM -0500, The guy named after an Om Kalthoum song wrote:
[ Mailman using GPG to decrypt and re-crypt messages ]
I may be itnerested in doing this as an exercise to learn Python. Has anyone done something like this?
I don't think so. It's the first I heard about it, in any case. Note that "it isn't that simple" ;) You have to think about Archives. Do you want to enable them over SSL only ? SSL with client certificates ? Do you just want to disable them ? What about news gatewaying ? Just disable it for 'secure' groups, or just sign the postings ?
The motivation I have behind asking (which can quickly drift off-topic for this list) is that the main reason behind the failure of widespread email encryption is human factors. Therefore, the right amount of social engineering will be the driving force in getting people to encrypt email.
If a mailing list exploder like what I described is available, people will learn not to 1. share TMI type information on any other kind of mailing list, or 2. share proprietary discussions on any other kind of mailing list.
So, a list like this will
- have no Web archiving,
- no news gatewaying, and
- rapidly expiring mailing list keypairs, Just In Case (TM).
I'm asking this on the Mailman forum because Mailman would be easier to GPG-enable than Majordomo (just as eating ice cream is more pleasant than root canal..), and because apart from that, I am not picky on how this should be done, hence would be willing to fork Mailman to warp it for this end.
At 2:54 PM -0500 11/6/00, Omri Schwarz wrote:
The motivation I have behind asking (which can quickly drift off-topic for this list) is that the main reason behind the failure of widespread email encryption is human factors. Therefore, the right amount of social engineering will be the driving force in getting people to encrypt email.
I agree with this -- but I disagree that the mailing list is where the focus needs to go. The focus needs to go in fixing mail client interfaces to properly integrate this stuff and make it easy to use. Until that happens, it doesn't matter what else is done, because users won't use it.
IMHO, of course. but working on the MLM side is the cart before the horse. Get the clients using encryption rationally, and the server side will follow naturally.
Omri> I may be itnerested in doing this as an exercise to learn
Omri> Python.
I'm not one to discourage anybody's motivation for learning Python, so go for it. I think Chuq and JC have outlined the concerns and issues nicely, so I won't add much else other than to say that I /hope/ you'd be able to add the bits you'd need without forking Mailman. There should be enough pluggable architecture to add what you need as an extension without major architectural changes. If not, then post your ideas here and we can discuss them.
Having said that, my own personal opinion is that this isn't very useful for a general tool. IMO, encryption and security will never passed the Grandma Test: could it be easy enough to understand and do correctly that your grandmother would use it? Encryption is complicated and security protocols are even harder to understand and implement right, let alone do so in a way that Normal People can grasp. I'm pessimistic that a pervasively encrypted environment will ever really exist, or will even be deemed necessary by the fast armies of grandmas on the 'net.
(unlike web and email, which my son's grandma can do without much trouble)
Let us know how it goes though. It definitely tickles my geek-libertarian funny bone! :)
-Barry
At 2:42 PM -0500 11/8/00, Barry A. Warsaw wrote:
IMO, encryption and security will never passed the Grandma Test: could it be easy enough to understand and do correctly that your grandmother would use it?
this is a place I disagree with Barry -- I think it will, but not until it's as easy to use as the web and email is. Which means the client authors need to decide it's necessary to integrate into the client tools, and serious enough about it to integrate in a non-geeky way (i.e., Eudora's PGP plug-ins ain't it). That means serious user interface design and integration.
And I think it will -- but not soon. Why? the U.S. recently made digital signatures legally binding. that means encryption. And once people start needing (or wanting) digital signatures, that'll drive the integration of encryption. Until that happens, though, it'll continue to be a niche technology. A crucial one, but not one you can easily explain to mom and dad.
This is a job for the client tools. It can be and should be done. But I don't see it happening soon, and I see government's globally fighting it every step of the way...
participants (5)
-
barry@wooz.org -
Chuq Von Rospach -
Omri Schwarz -
The guy named after an Om Kalthoum song
-
Thomas Wouters