[Mailman-Developers] PGP support for MM3

Barry Warsaw barry at list.org
Fri Nov 18 16:47:08 EST 2016 

On Nov 18, 2016, at 04:26 PM, Dominik wrote:

>I'd like to see PGP support for MM3 but I thought it might be a little
>to early to file an issue.

I think full PGP support as many people want will be a multi-issue,
multi-branch effort.  For example, I can imagine a branch that enables
list-specific key management so that you can encrypt a message to a mailing
list.  Then users/addresses would each also have key management.  Those touch
the database layer.  There will probably be branches that touch the REST API,
and handler/rules, etc.  Then there are likely changes to Postorius, possibly
HyperKitty, etc.

>Encrypted mailing for groups of people is still a mess in 2016:
>
>*  Either the group is relatively static or you never encrypt the mail
>  for all people.
>*  All members need to know each other. And you need the keys of all
>  the other members.
>
>So far for the motivation. Below there are some initial thoughts:
>
>**Treat mail differently based on their signing status:**
>
>1. Whether it has a signature or not.
>2. Whether the signature is valid or not.
>3. Whether the signing key matches the key of the list member.
> 
>**Treat mail differently based on their encryption status**
>
>Whether it is encrypted or not.

You could certainly do these things.  Once the basic key management
infrastructure is in place, you could fairly easily add various rules and
handlers to effect some of these features.  E.g. a rule could say "if this
message does not have a valid signature, discard it".  That could be useful
even without full encryption.  For outgoing encryption, you'd need a pre-MTA
handler if you wanted to do personalization, e.g. encrypt the message to each
user's registered key.

>**Other opportunities**
>
>1. A public key per list.
>2. Signing of outgoing mails with that list key.
>3. Encryption of outgoing mails with that list key.

#2 and #3 could be done with list-wide handlers, since they aren't
personalized.

>4. Send a mail with the lists public key on request.

Fairly easy to add a command to do this.

>Which one of these points a worth an implementation?

All?  None?  Some?  :)

It really kind of depends on what people want.  At a minimum, I would really
like the option of running a mailing list which requires valid signatures for
posting, to avoid blindly trusting the sender headers.  That still requires
user-based key management, so perhaps that's a good place to start.

Cheers,
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20161118/edcc77ce/attachment.sig>

More information about the Mailman-Developers mailing list