LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Public Key authentication

Valdis Kletnieks <[log in to unmask]>

Mon, 12 May 2003 12:27:53 -0400

text/plain (55 lines)

On Mon, 12 May 2003 09:06:10 EDT, "Hiler, John" <[log in to unmask]>  said:
> I totally agree with DCP, a "no brainer".

Although you may *THINK* public-key auth is a "no brainer", it's not as easy
as it looks (as years of experience dealing with security and crypto have
taught me):

1) You have to add support to the Listserv codebase. This can get interesting
since you now have to worry about the US ITAR regs (yes, even though they
are relaxed, there's still regs you can run afoul of). In addition, it makes
sales outside the US more interesting (if LSoft has an office in Paris, that
could get funky ;)

2) You need to document it all.

3) You need end-user client support - basically, if it isn't either an
S/MIME signature or a PGP signature, you will be stuck hand-rolling a
plugin for the mail program to do the signatures for you.  And even if
it *is* using S/MIME or PGP, you still have to walk the user through the
process of downloading and installing the plugin, generating a key pair,
explaining passphrases, and all the rest of it.

4) You need to come up with a key management scheme - how do people get
their public keys to Listserv so they can be authenticated?  There's various
solutions to this - SSH lets you copy your keys over 'scp' (which has a
bootstrap vulnerability for the server's keys), PGP has keyservers and the
web-of-trust, X.509 has the concept of a CA.  Each of these has its own
operational headaches....

5) The original poster needs to re-evaluate what he's trying to do:

>                                                         This will
> allow us to create public announcements (and send more sensitive
> information to private lists)  through automated systems without having
> to worry about forgery, a wait for moderation, or interception of
> passwords or SMTP traffic on the network.

There's absolutely *NOTHING* stopping him from posting a PGP-encrypted
sensitive information to a list *NOW*.  If it's that sensitive, it needs
to be end-to-end encrypted, not "use crypto to authenticate it's from
person/process XYZ" - that's just security through obscurity.  After all,
interception of SMTP traffic is more likely *OUTBOUND*, just because only
one copy came in, and hundreds may be leaving. ;)

No matter *WHAT* public-key system you're using, doing it via an automated
system is a can of worms, because you *HAVE* to have the private key around
so you can sign/encrypt.  Of course, if the private key is around, if the box
gets hacked, you have a problem.  Analyze this carefully, in the context of
the threat model for the sensitive list in question....

Even after all that, I still agree it *would* be pretty cool if Listserv
allowed PGP signatures as per RFC3156. ;)

/Valdis

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM