[Mailman-Developers] OpenPGP Mailman integration discussion [was: Re: GSoc - Requirement from Mentor to complete the project]

[Joost van Baal-Ilić]

Hi!

On Thu, May 23, 2013 at 02:26:46PM -0400, Daniel Kahn Gillmor wrote:
> On 05/23/2013 12:06 PM, Abhilash Raj wrote:
<snip>
> > My doubt is that how do we actually decide what is the best policy for
> > us to follow? One person may agree to my point, other may not, third
> > may have a different point and so on and so forth. So how do we decide
> > upon one point? Voting?
> 
> This is a good question :)
> 
> I think you should propose a reasonable approach for handling all these
> various corner cases, and where your approach has some arbitrary cutoffs
> (e.g. messages with signatures older than K days will not be accepted
> for delivery), you make the arbitrary cutoff tuneable by the list
> administrator and choose a sensible default.
> 
> Then you solicit and accept patches from people who have a strong
> argument that your implementation isn't aligned with a reasonable policy
> they would like to pursue :)

I've just typesetted
http://non-gnu.uvt.nl/pub/mailman/mailman-2.1.15-with-pgp-smime_2012-08-28-patch/pgp-smime/audit.pdf
and
http://non-gnu.uvt.nl/pub/mailman/mailman-2.1.15-with-pgp-smime_2012-08-28-patch/pgp-smime/audit2/audit2.pdf
.  These document some ideas about threats for a PGP-enhanced mailman
implementation.  (More documentation is available in
http://non-gnu.uvt.nl/pub/mailman/mailman-2.1.15-with-pgp-smime_2012-08-28-patch/pgp-smime
.)

HTH.

<snip>
> > I am really thankful for your questions and suggestions. I tried to
> > answer them with some thought. Please correct me if I am wrong.
> 
> Thanks, I really appreciate your engagement with these questions.  There
> are a lot of finicky details to keep track of, and you're coming up to
> speed fast on questions that most people haven't thought about at all.
> Keep it up!

+1

Bye,

Joost

-- 
irc:joostvb@{OFTC,freenode} ∙ http://mdcc.cx/ ∙ http://ad1810.com/