Date: Mon, 3 Jul 2017 15:37:38 +0200 From: Kristian Fiskerstrand <k_f@...too.org> To: oss-security@...ts.openwall.com, Anthony Liguori <anthony@...emonkey.ws> Subject: Bugzilla implementation of OpenPGP and Memory Hole (Was: Re: accepting new members to (linux-)distros lists) [Changing subject as it has likely gone too off target with the previous one] On 07/03/2017 02:35 PM, Kristian Fiskerstrand wrote: > On 07/02/2017 10:58 PM, Anthony Liguori wrote: >> On Jul 2, 2017 1:38 PM, "Kristian Fiskerstrand"<k_f@...too.org> wrote: >>> The immediate thought that springs to mind is the [lack of OpenPGP >>> support in bugzilla] which makes it difficult to ensure confidentiality >>> unless disabling all email warnings. >> >> I would just assume all email is disabled. I don't know of a tool that >> does this right so for security sensitive things, I think disabling email >> notification is a best practice. > > It wouldn't take much to have a tool that does, mainly what I outline in > the previous post to ensure OpenPGP keyblock management for the > individual users, and as an extension of the scope for that perhaps a > [MemoryHole] implementation to ensure confidentiality / integrity > verification of the RFC822 headers such as Subject. Enigmail users > should already have such support read-only[Note:A] Just to add that when I say read only here it goes to the encrypted subject aspect of things (as, perhaps, inferred from the note). Enigmail should already, by default, use MemoryHole for signed messages in OpenPGP/MIME mode, which should be visible as a separate first MIME part e.g of this email. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ