[Mailman-Developers] Project idea understanding

[Stephen J. Turnbull]

raditya writes:

 > 1) Each message will be encrypted with all users as recipients.

You are way ahead of yourself.  Before thinking about *how* to manage
an encrypted list, both operationally and socially, we need to decide

(1) *who* is going to be posting
(2) *why* are they posting to an encrypted list
(3) *who* is going to be subscribing to such a list
(4) *why* are they subscribing 
(5) *who* the traffic is being hidden from
(6) *what capabilities* the adversary may be expected to have
(7) *who* will be managing the list and host
(8) *the trustworthiness* required of list and host managers
(9) *what other features* are required in view of (1) -- (8), such as
    anonymity

and there may be some other basic features to consider.  I strongly
suggest a close look at RFC 5598 "Internet Mail Architecture" to get a
good understanding of the "players" in the game of "mailing list".
Then we need to talk about what threats encryption can protect
against, what threats other parts of Mailman can protect against, and
what can't be protected against.  Documentation will eventually be the
hardest part of this task.  Although the GSoC intern won't be
responsible for perfecting it, documenting the threat model is going
to be important both for the users (subscribers and list owners) and
for the design and implementation.

Don't worry about starting with a narrow use case, limited to some
"user story" you personally are familiar with.  We can think about
generalizing as we go along, or as a follow-on after the project is
done.  Original design and maximum generality are not required of a
GSoC project (although working on the design yourself does help with
planning implementation).  Also, I have a lot of ideas about "generic"
threats, and will reveal them gradually as we go along.  But it's
important for you to get over the idea that encryption itself is a big
deal.  It's not, and the basic mechanisms are already in place (for
signing, but it's quite similar) from a previous project.

Regarding your suggestions so far, I can tell you already that there
are technical or "audience" problems with your initial ideas.

 > The mailing-list maintainer will have to regularly send the list of
 > recipients over the mailing-list itself, so that every user comes
 > to know the public keys of all recipients.

As you seem to recognize, and Simon also points out, this is not
an attractive UI for many scenarios, including "large" lists and
non-technical posters.  And it's already possible in any case for
users competent in such operations.

 > 2) Another way could be relaying each message through the maintainer.
 > The maintainer then encrypts it for single recipient.
 > This might solve the problem of sending messageto large number of users
 > but it increases latency (each message must wait for the maintainer to
 > process it)
 > the maintainer can censor each message as they all are relayed through
 > him.

This is not going to be done by a human, there will be some kind of
Handler (and probably a Rule) to deal with it.

"Censoring" (eg, anonymization, as well as moderation) is a *good
point*, whose general application I missed above.  This is non-trivial
for secret traffic in some cases.  Some of it can be automated, and in
some applications all of it should be.  "Hold that thought."  :-)

 > 3) Or instead of using asymmetric keys we use a password given to all
 > users.

Again, not an attractive solution.  Consider the "secret" distribution
problem in general, and especially the revocation problem if you
decide to kick somebody off the list.  The primary goal here is to
avoid forcing subscribers and posters to learn about encryption and
security.  We probably can't avoid some burden on the users, but the
less the better -- we know very well from the security problems that
become public every day that users are not very good are secure usage.

I hope this helps you get a better handle on the scope of this
project.

Regards,

Steve