From: Samuli S. <sa...@op...> - 2010-07-16 08:35:11
|
Samuli Seppänen ha scritto: >> Discussed various mechanisms to make security vulnerability discussions >> secure. Sending of security vulnerability reports to us could be done >> securely with a simple HTTPS webapp. Alternatively, we could make an >> official PGP public key available for sending in reports. There are two >> options for securing discussions on the security mailinglist: >> >> - everybody uses the same PGP public/private keypair which expires, say, >> after one year >> - everybody uses personal PGP keys for communication: all need to have >> the public keys of everyone else and each mail has to be encrypted once >> for every recipient >> >> Agreed that the second option is better, if mail clients can be >> configured to do multiple encryption automatically. Samuli promised to >> check if Thunderbird + Enigmail supports this. Samuli also promised to >> check if SF.net mailinglists could be used for the -security ml. >> >> > As promised, I did some digging... Thunderbird + Enigmail _should_ be > able to encrypt messages using several public keys based on the target > address (e.g. ope...@li...): > > <http://enigmail.mozdev.org/documentation/pgprules.php> > > I currently only have David's public PGP/GnuPG key - if somebody else > cares to share his key, we could test if this works in practice. > Did some digging in the wonderful world of SF.net mailinglists... Snippets from the GNU mailman admin interface: "Require approval - require list administrator approval for subscriptions" "*private_roster* (privacy): Who can view subscription list? When set, the list of subscribers is protected by member or admin password authentication." *"generic_nonmember_action* (privacy): Action to take for postings from non-members for which no explicit action is defined. When a post from a non-member is received, the message's sender is matched against the list of explicitly accepted <https://lists.sourceforge.net/lists/admin/openvpn-als-devel/?VARHELP=privacy/sender/accept_these_nonmembers>, held <https://lists.sourceforge.net/lists/admin/openvpn-als-devel/?VARHELP=privacy/sender/hold_these_nonmembers>, rejected <https://lists.sourceforge.net/lists/admin/openvpn-als-devel/?VARHELP=privacy/sender/reject_these_nonmembers> (bounced), and discarded <https://lists.sourceforge.net/lists/admin/openvpn-als-devel/?VARHELP=privacy/sender/discard_these_nonmembers> addresses. If no match is found, then this action is taken." So it is possible to lock the list down pretty tightly, if required. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock |