In message <199411122031.AA18561@cs.umb.edu>, "John P. Rouillard" writes:
>Majordomo could also just sign all messages (option 1). This would
>allow the users on the list to validate all messages comming over the
>list as actually being from the person they claim to be from, without
>having the public key for the person sending the message. In this case
>majordomo would act as a notary for the message.
A rather poor notary. All that would gain you would be that you would
be sure that the mail came from the list. You wouldn't know if the
person in the From: line actually sent the message. The only way to
verify that the person itself sent the message is for the person
to PGP sign the message with their private key.
If we're going to integrate PGP into majordomo, the only way to
do that IMHO is to do it to increase security:
1) List owners have keys known to the Majordomo server.
All list management traffic takes place via encrypted or signed
mail. The Majordomo owner must verify the list owners' keys.
2) List members may send their public keys to the Majordomo server, but...
3) ..list owners must verify the validity of all public keys via
signed mail messages, or send pre-signed public keys to the server.
4) Have all majordomo mail signed by the majordomo key, so you know
that it came from the server.
5) Have majordomo verify the signatures of all incoming messages,
and bounce (to sender) ones that don't check out. Optionally
bounce any unsigned messages. Transparenly pass through all
correct mail.
("verify" meaning compare fingerprints via some third-party means, either
via phone call or some secure channel)
2-5 can be optional of course if your list isn't closed/restricted/
or moderated. 1-5 is optional if your PGP impared. :-)
--Dave
References:
|
|
