[Mailman-Developers] GSOC Project idea: OpenPGP integration

[Richard Damon]

On 4/29/13 5:40 AM, Ian Eiloart wrote:
> Also, what kind of secure list would have automated processing of
> message content as a requirement? If a message is gpg encrypted, then
> every sender would require the public keys of every recipient, would
> they not? Which means that a PKI for the list holders is required.
> Currently outside of Mailman's scope, but if it exists, then
> presumably senders would be required to cryptographically sign every
> message. All the list needs to do is verify the signature before
> redistributing. THAT is going to be the main body processing requirement. 
That is one way, the other is you send the message encrypted to the
list's public key, and the list decrypts the message and then reencrypts
to each recipient's public key. (In many cases this doesn't actually
require decrypting/reencrypting the whole message, just the session key
block).

The list could also check any signature, and sign messages with valid
signatures with it's key.

That way, subscribers don't need any other subscriber's public key. In
fact, I think the list could even be set up anonymous so you might not
even know who anyone else was, just that the list has validated that the
message came from someone on the list.

-- 
Richard Damon