[Listwork] Reprise: GPG encrypted mailing lists

Alster alster at indymedia.org
Fri Feb 3 11:42:02 PST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I would like to reconsider providing encrypted mailing lists to
Indymedia users, either through Mailman or independantly.

I know this may end up in a big discussion and we've had it a couple
times before. To my knowledge, it always ended up with the result that
available mailman patches were not sufficiently stable or their approach
was flawed from a security point of view. Nevertheless I continue to
think this would be a good service to offer and I am willing to maintain
it (but would like other listworkers to help) once it has been setup.

I assume that the available implementations have matured since, maybe
sufficiently. Thus, I reviewed the listwork mailing list archives and
tried to find all implementations which were mentioned along the past
year and added one I additionally became aware of. I also tried to find
out which of them are still maintained so no time is wasted. I can,
however, not determine which of these patches + implementations are
suited and which are not. I will need your help with this.



+++++ A. SURFnet Secure List Server: an OpenPGP and S/MIME aware Mailman

Almost one year ago, Pabs brought another GPG patch for mailman to our
attention:
http://lists.indymedia.org/mailman/mmid/listwork/2005-0331-ee
http://www.non-gnu.uvt.nl/pub/mailman/
https://sourceforge.net/tracker/index.php?func=detail&aid=1167696&group_id=103&atid=300103

This patch seems to be well maintained (last release is for mailman
2.1.7 and was made on January 30th, previous changes were made on
January 1st), and it even comes with an extension to the web interface
allowing people to manage their public keys.

- From what I understand reading
http://www.non-gnu.uvt.nl/pub/mailman/debian/
this patch is also included in Debian mailman packages since v2.1.5-7.





A bit earlier than pabs, Luis proposed two more mailman patches (listed
below as B. and C.) and one standalone implementation (D.) and stated
that he was planning to test some of them on a development server:

http://lists.indymedia.org/mailman/mmid/listwork/2005-0204-7t

Luis, I could not find the report you said you might be able to provide.
Can you report anything on these patches (can you even recall)?

The mailman patches Luis reported are:

+++++ B. Mailman bug #646989: NAH6 Secure List patch: GPG plugin
https://sourceforge.net/tracker/index.php?func=detail&aid=646989&group_id=103&atid=300103

This approach seems to have been a pretty complicated one, and the patch
seems to be no longer maintained. I hereby declare this dead. ;-)


+++++ C. Mailman bug #645297: Add PGP support
https://sourceforge.net/tracker/index.php?func=detail&aid=645297&group_id=103&atid=300103

This seems to be neither documented nor maintained. However, it refers
to another patch, which happens to be the one listed above at A.


The standalone implementation Luis mentioned is

+++++ D. RedIRIS Encrypted mail list aliases with GnuPG

http://www.rediris.es/app/pgplist/index.en.html (or "index.es.html")
http://cvs.rediris.es/cvsweb/rediris-cvs/readme?cvsroot=gpgmailaliases&rev=HEAD

Even though the changelog may make you think this is no longer
maintained, looking at the CVS it seems it still is.



Another standalone implementation is Firma, written by Luis and Rhatto:

+++++ E. Firma

http://codecoop.org/projects/firma/

This is supposedly still maintained and planned to be rewritten in
python (currently, it is a bash script).





Personally, from what I've read so far, I believe that the option listed
above as A. is most suited for Indymedia. But it would take someone who
actually know what he's talking about to make a serious statement on this.

Once encrypted mailing lists work, we will still need to fix the problem
where pipermail scrubs S/MIME attachments:
http://lists.indymedia.org/mailman/mmid/listwork/2005-1011-a8

So much for now. I hope everyone can get an impression until the
listwork meeting so we can make a decision by then, or discuss it
further if needed. I will add this topic to the agenda.

Alster
- --
GPG key
http://keys.indymedia.org/cgi-bin/lookup?op=get&search=05059C17
Fingerprint    1B8B 128F 8435 541C B3A5 1B7E CF5A 9D55 0505 9C17
All other      http://docs.indymedia.org/view/Main/AlsteR
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD47IKz1qdVQUFnBcRAuyuAJ9EMfDwOGgq4wsp+ALum123t2JrngCfQZs9
z3OzSIyo345j5O/4da1Qplw=
=wJ+j
-----END PGP SIGNATURE-----

More information about the listwork mailing list