Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 3 Jul 2017 14:35:55 +0200
From: Kristian Fiskerstrand <k_f@...too.org>
To: oss-security@...ts.openwall.com, Anthony Liguori <anthony@...emonkey.ws>
Subject: Re: accepting new members to (linux-)distros lists

On 07/02/2017 10:58 PM, Anthony Liguori wrote:
> On Jul 2, 2017 1:38 PM, "Kristian Fiskerstrand"<k_f@...too.org> wrote:
>> The immediate thought that springs to mind is the [lack of OpenPGP
>> support in bugzilla] which makes it difficult to ensure confidentiality
>> unless disabling all email warnings.
> 
> I would just assume all email is disabled.  I don't know of a tool that
> does this right so for security sensitive things, I think disabling email
> notification is a best practice.

It wouldn't take much to have a tool that does, mainly what I outline in
the previous post to ensure OpenPGP keyblock management for the
individual users, and as an extension of the scope for that perhaps a
[MemoryHole] implementation to ensure confidentiality / integrity
verification of the RFC822 headers such as Subject. Enigmail users
should already have such support read-only[Note:A]

References:
[MemoryHole]
http://modernpgp.org/memoryhole/
https://wiki.gnupg.org/OpenPGPEmailSummit201607/MemoryHole

Notes:
[Note:A] to toggle it on encrypted subjects on sending you'd use
extensions.enigmail.protectHeaders


-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ