[Mailman-Developers] encrypting list reminders

Brian Lalor blalor@hcirisc.cs.binghamton.edu
Thu, 1 Feb 2001 12:01:17 -0500 (EST) 

I'm not subscribed to the list; please CC me on any replies.

The topic of plaintext passwords sent out each month as part of the
reminder process came up on the GnuPG mailing list today.  The below
conversation extolls the virtues of this method and how it balances the
user experience and ease of administration with the insecurity of the
method.

I'd like to suggest that encryption of the password reminders be
implemented.  It would be as "simple" as grafting in GnuPG with mailman
and keeping the user's public key and associated key id stored along with
their email address.  This would allow mailman to encrypt these
administriva and have the best of all worlds.

Additionally, messages could be signed automatically; this could be *all*
messages sent from the list, or just administrative messages.

The more I think about it, the better this idea is! :-)

B

_____________________________________________________________________________
B r i a n  L a l o r                         blalor@hcirisc.cs.binghamton.edu
http://hcirisc.cs.binghamton.edu/~blalor     Spam me not.
   To get my pgp key, put "get pgp key" in the subject of your message

My Dad used to say I have deceptive quickness.  I'm slower than I look.



---------- Forwarded message ----------
Date: Thu, 1 Feb 2001 10:44:28 -0600 (CST)
From: Frank Tobin <ftobin@uiuc.edu>
To: Dan Harkless <gnupg@dilvish.speed.net>
Cc: gnupg-users@gnupg.org
Subject: Re: gnupg.org mailing list memberships reminder

Dan Harkless, at 18:58 -0800 on Wed, 31 Jan 2001, wrote:

    Gotta love a mailing list devoted to email security that sends your password
    to you in cleartext once a month whether you like it or not.  I assume
    there's still no way to turn this off in mailman?  (I last asked a few years
    ago.)

First of all, the mailing list is not devoted to email security.  Anyone
who thinks OpenPGP is limited to email needs to re-think what it's good
for.

When it comes to public mailing lists, the most important thing is to have
the least frustration for the end users and easiest management for the
administration.  While it does have the offset of lowering security, I
feel that in the end it provides for a much better experience of the
majority of end-users and administration to have monthly reminders.

There are multiple levels of security, and your email-subscriptions to
public mailing lists should really rank way down at the bottom of the
list.

-- 
Frank Tobin		http://www.uiuc.edu/~ftobin/

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users