Date: Mon, 3 Jul 2017 14:35:55 +0200 From: Kristian Fiskerstrand <k_f@...too.org> To: oss-security@...ts.openwall.com, Anthony Liguori <anthony@...emonkey.ws> Subject: Re: accepting new members to (linux-)distros lists On 07/02/2017 10:58 PM, Anthony Liguori wrote: > On Jul 2, 2017 1:38 PM, "Kristian Fiskerstrand"<k_f@...too.org> wrote: >> The immediate thought that springs to mind is the [lack of OpenPGP >> support in bugzilla] which makes it difficult to ensure confidentiality >> unless disabling all email warnings. > > I would just assume all email is disabled. I don't know of a tool that > does this right so for security sensitive things, I think disabling email > notification is a best practice. It wouldn't take much to have a tool that does, mainly what I outline in the previous post to ensure OpenPGP keyblock management for the individual users, and as an extension of the scope for that perhaps a [MemoryHole] implementation to ensure confidentiality / integrity verification of the RFC822 headers such as Subject. Enigmail users should already have such support read-only[Note:A] References: [MemoryHole] http://modernpgp.org/memoryhole/ https://wiki.gnupg.org/OpenPGPEmailSummit201607/MemoryHole Notes: [Note:A] to toggle it on encrypted subjects on sending you'd use extensions.enigmail.protectHeaders -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ