Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 3 Jul 2017 14:35:55 +0200
From: Kristian Fiskerstrand <k_f@...too.org>
To: oss-security@...ts.openwall.com, Anthony Liguori <anthony@...emonkey.ws>
Subject: Re: accepting new members to (linux-)distros lists

On 07/02/2017 10:58 PM, Anthony Liguori wrote:
> On Jul 2, 2017 1:38 PM, "Kristian Fiskerstrand"<k_f@...too.org> wrote:
>> The immediate thought that springs to mind is the [lack of OpenPGP
>> support in bugzilla] which makes it difficult to ensure confidentiality
>> unless disabling all email warnings.
> 
> I would just assume all email is disabled.  I don't know of a tool that
> does this right so for security sensitive things, I think disabling email
> notification is a best practice.

It wouldn't take much to have a tool that does, mainly what I outline in
the previous post to ensure OpenPGP keyblock management for the
individual users, and as an extension of the scope for that perhaps a
[MemoryHole] implementation to ensure confidentiality / integrity
verification of the RFC822 headers such as Subject. Enigmail users
should already have such support read-only[Note:A]

References:
[MemoryHole]
http://modernpgp.org/memoryhole/
https://wiki.gnupg.org/OpenPGPEmailSummit201607/MemoryHole

Notes:
[Note:A] to toggle it on encrypted subjects on sending you'd use
extensions.enigmail.protectHeaders


-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3



Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.