Re: [Mailman-Developers] OpenPGP Integration on GSoC
On 04/09/2013 07:55 PM, Marcos Chavarría Teijeiro wrote:
The problem is that I'm not sure if I understand the idea. This is how I see it:
- Users summit their public key to MailMan server when they register to mail list.
- The user can get MailMan Server public key
- When an user want to post a message they both sign and encrypt this message. They encrypt the message using MailMan public key. Then the message is sent to MailMan Server.
- MailMan decrypt the received message and check if the sign is correct (with the stored public user public key). If the sign is correct, it sends a message to every mail-list subscripter encrypted with each user public key.
- The other user receive the email and decrypt it.
Is this correct?
This sounds like a reasonable proposal, though there are potentially a lot of gotchas in such an implementation (in particular, keyring management, and dealing sensibly with cryptographic failures are two rough spots that you probably need to tihnk more about).
Have you looked at schleuder? In my experience, schleuder is the most widely-used mailing list software that maps to the model you describe, so learning from their experiences and figuring out why they made the implementation decisions they did would probably be helpful:
You might also want to compare notes with Abhilash Raj (who has been posting to this list), since y'all seem to be interested in similar topics.
all the best,
--dkg
Hi Marcos,
On Wed, Apr 10, 2013 at 10:04:04PM -0400, Daniel Kahn Gillmor wrote:
On 04/09/2013 07:55 PM, Marcos Chavarría Teijeiro wrote:
The problem is that I'm not sure if I understand the idea. This is how I see it:
- Users summit their public key to MailMan server when they register to mail list.
- The user can get MailMan Server public key
- When an user want to post a message they both sign and encrypt this message. They encrypt the message using MailMan public key. Then the message is sent to MailMan Server.
- MailMan decrypt the received message and check if the sign is correct (with the stored public user public key). If the sign is correct, it sends a message to every mail-list subscripter encrypted with each user public key.
- The other user receive the email and decrypt it.
Is this correct?
This sounds like a reasonable proposal, though there are potentially a lot of gotchas in such an implementation (in particular, keyring management, and dealing sensibly with cryptographic failures are two rough spots that you probably need to tihnk more about).
Have you looked at schleuder? <snip>
One of the issues you'd have to think about is how to deal with this:
I am Joost van Baal-Ilić. I create a PGP keypair with ID Barry Warsaw. I sent the public key to the list server. I sent a mail, signed with the Barry-key, encrtypted to the listkey, with From: Barry's email address, to the list. The listserver now distributes it to the lists subscribers, yes? The list subscribers will believe the message is from Barry.
There's more than 1 way to solve this problem. You'd have to pick one solution.
Bye,
Joost
-- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. --Antoine de Saint-Exupery
On 11.04.2013 06:19, Joost van Baal-Ilić wrote:
I am Joost van Baal-Ilić. I create a PGP keypair with ID Barry Warsaw. I sent the public key to the list server. I sent a mail, signed with the Barry-key, encrtypted to the listkey, with From: Barry's email address, to the list. The listserver now distributes it to the lists subscribers, yes? The list subscribers will believe the message is from Barry.
You would have to do some key confirmation, just like you have to click a mail confirmation link upon subscription.
Next problem: Mailman will have to decrypt the message and re-encrypt it for each recipient. This also strips the signature of the original sender. How do you show to the recipients that the original message was signed (in a way which cannot be forged by any other sender)?
Generally speaking PGP support would be great, the efforts Joost and I made about 10 years ago never made it beyond alpha (or beta at best) stadium...
Stefan.
Hi (and hi Stefan!),
On Thu, Apr 11, 2013 at 09:23:35AM +0200, Stefan Schlott wrote:
On 11.04.2013 06:19, Joost van Baal-Ilić wrote:
I am Joost van Baal-Ilić. I create a PGP keypair with ID Barry Warsaw. I sent the public key to the list server. I sent a mail, signed with the Barry-key, encrtypted to the listkey, with From: Barry's email address, to the list. The listserver now distributes it to the lists subscribers, yes? The list subscribers will believe the message is from Barry.
You would have to do some key confirmation, just like you have to click a mail confirmation link upon subscription.
Next problem: Mailman will have to decrypt the message and re-encrypt it for each recipient. This also strips the signature of the original sender.
Not necessarily, iirc.
How do you show to the recipients that the original message was signed (in a way which cannot be forged by any other sender)?
Generally speaking PGP support would be great, the efforts Joost and I made about 10 years ago never made it beyond alpha (or beta at best) stadium...
ACK.
Bye,
Joost
On 4/11/13 3:23 AM, Stefan Schlott wrote:
On 11.04.2013 06:19, Joost van Baal-Ilić wrote:
I am Joost van Baal-Ilić. I create a PGP keypair with ID Barry Warsaw. I sent the public key to the list server. I sent a mail, signed with the Barry-key, encrtypted to the listkey, with From: Barry's email address, to the list. The listserver now distributes it to the lists subscribers, yes? The list subscribers will believe the message is from Barry. You would have to do some key confirmation, just like you have to click a mail confirmation link upon subscription.
Next problem: Mailman will have to decrypt the message and re-encrypt it for each recipient. This also strips the signature of the original sender. How do you show to the recipients that the original message was signed (in a way which cannot be forged by any other sender)?
Generally speaking PGP support would be great, the efforts Joost and I made about 10 years ago never made it beyond alpha (or beta at best) stadium...
Stefan.
Decrypting and re-encrypting shouldn't break signatures as the sender should First sign the unencrypted message, and then encrypt it. The signature can then be passed on in the re-encrypted message, and people can do their verification of the signature. It is up to each recipient to decide how well they trust the identity of the sender. Digital keys do NOT naturally verify the identity of the sender, the verify that the sender is a possessor of the signing key, and it is the web of trust on the key management side that connects that with an individual identity.
Also, re-encrypting to each recipient isn't as big of a job as it might seem, as actually what happens is a session key is made, and this is used to encrypt the message, the the session key is encrypted with the recipients public-key, so only this last piece needs to be done per recipient. You probably need to send copies individually, or every message will have information about who is subscribed to the list.
-- Richard Damon
On 11.04.2013 14:35, Richard Damon wrote:
Next problem: Mailman will have to decrypt the message and re-encrypt it for each recipient. This also strips the signature of the original sender. How do you show to the recipients that the original message was signed (in a way which cannot be forged by any other sender)?
Decrypting and re-encrypting shouldn't break signatures as the sender should First sign the unencrypted message, and then encrypt it. The signature can then be passed on in the re-encrypted message, and people can do their verification of the signature.
True, the PGP file structure encapsulates the signature within the encryption (in contrast to S/MIME, which does it vice versa). But the standard PGP binary will strip both in one step, so keeping the signature won't work out of the box (at least I didn't manage to do that, I'd be really interested how to do that - would be useful for searchable mail archives).
Stefan.
On 04/11/2013 09:13 AM, Stefan Schlott wrote:
True, the PGP file structure encapsulates the signature within the encryption (in contrast to S/MIME, which does it vice versa). But the standard PGP binary will strip both in one step, so keeping the signature won't work out of the box (at least I didn't manage to do that, I'd be really interested how to do that - would be useful for searchable mail archives).
It's certainly possible within the OpenPGP spec to have the mailing list software decrypt its Encrypted Session Key (ESK) OpenPGP packet from an encrypted message, and then add a new ESK packet (or replace the old one) for each list subscriber. IIUC, this should leave the original message's signature intact.
Whether any of the various OpenPGP-related toolkits that are readily available for python are capable of doing these operations is another matter.
If you're playing with this stuff, i recommend reading the OpenPGP RFC, which actually describes how all the data fits together:
https://tools.ietf.org/html/rfc4880
you may also be interested in the PGP/MIME spec, which concerns how to to format OpenPGP within an e-mail:
https://tools.ietf.org/html/rfc3156
Note that the design proposed in this thread is similar to the schleuder2 design, though schleuder doesn't preserve the original signer's signature either, but substitutes it with a message signature from the mailing list itself.
This design also exposes the content of each message to the mailing list software itself. There are other architectures that make it so the mailing list software never actually gets to see the content of the message (see PSELS for an example).
--dkg
participants (4)
-
Daniel Kahn Gillmor -
Joost van Baal-Ilić -
Richard Damon -
Stefan Schlott