[Mailman-Developers] PGP and Mailman

Stefan Schlott stefan.schlott at informatik.uni-ulm.de
Wed Mar 2 13:58:29 CET 2005

Brad Knowles wrote:

>>                                                Further, this will reveal
>>  all recipients' key ids - something not wanted in anonymous lists.
>     True.  A session key would be encrypted to each key id, so the key 
> ids would be visible.  However, subscriber information is not too hard 
> to get from Mailman even when it's supposedly limited to being available 
> only to the admin, so I think there may be bigger fish to fry elsewhere.

Right. And as it has already been pointed out, --throw-keyid should help.

>>  Imho the tradeoff lies somewhere inbetween - encrypt messages to n
>>  recipients (yet to be implemented).
>     The problem is that encrypting a message is a very CPU-intensive 
> process, and you don't want to figure off thousands and thousands of 
> message encryption processes for every single submission -- you'd DoS 
> yourself to death.  You'd have to make n pretty large in order to be 
> able to make this scalable.

A quick test gave the following (254 bytes text file as input):
- ASCII-Armored result, 10 recipients:  4211 bytes
- ASCII-Armored result, 20 recipients:  8931 bytes
- ASCII-Armored result, 30 recipients: 14700 bytes
- ASCII-Armored result, 40 recipients: 19242 bytes
Every recipient seems to increase file size by approx. 500 bytes. 
--throw-keyid didn't change file lenghts.
Creating chunks larger than 20 or 30 recipients results in really large 
mails; repeated calls of gpg result in high load. Not good for large 
lists indeed...


More information about the Mailman-Developers mailing list