[Mailman-Developers] Mailman and GPG.

[Omri Schwarz]

> At 12:54 AM -0500 11/7/00, Omri Schwarz wrote:
> 
> >Both your solution and mine do the same thing on the human
> >failings angle: they allow a mail server admin to set up a list
> >that does encryption for everyone, so that people learn that
> >some things are best not discussed in plaintext.
> 
> no, it really doesn't, because the message is sent to the MLM in 
> plaintext, so it has no security at all. If you depend on the MLM to 
> do the encryption, you might as well not encrypt, bceause anyone 
> sniffing packets will have the data no proble. what you're doing is 
> setting up a sense of *false* security, but you're in fact leaving 
> things wide open. It has to be encrypted leaving the client, or it's 
> not secure.

Unless I misunderstood, in both cases
a program on the server decripts incoming mail and
then re-encrypts, but that in once case the Sendmail/Qmail
program does this while I want the MLM to do it.

Setting up an encription-required rule for a list
should be easy in either case.

 
> >GPG version chauvinism is a must for such a project.
> 
> why? you want encryption endemic. Which implies abiliy to handle 
> anyone's public key and do something reasonable with it, not just 
> one. Otherwise, you're balkanized, and that defeats the purpose again.
> 
> >In turn, that kills the MUAs. However,
> >I don't believe good GPG handling in the MUAs
> >is the necessary-and-sufficient part to bring this about.
> 
> If the MUAs don't support encryption, then how will users decrypt 
> something the MLM encrypted? And if the MUA does support encryption 
> -- the MLM doens't have to.
> 

MUAs that support encryption do exist.
Unfortunately, they cater mostly to Unix gurus.