Encrypted MLs

[Werner Koch]

Fred Lindberg <lindberg at id.wustl.edu> writes:

> i was thinking of:
> 
> PASSPHRASE=`cat passphrase`
> gpg --skip_addresses_with_not_trusted_keys \
> 	--decrypt --verify --sign_with_key_ID:123 --reencrypt --keyfile
> addresses.txt \
> 	--output_to storage.file --format crude_non_armored < orignal
> encrypted(signed(message)) > storage.file

Better use something like this:

    gpg --decrypt --verify <original | gpg --sign.... --keyfile... >storage

> switch ($?)
>   case 0: ok
>   case 1: bad_encryption

For this I have the --status-fd option which writes textual messages
which are easy to parse; you can use two different fd for the
decryption and the encryption stage.  if the program returns with an
error, a grep tells you what's the real reason.

> addresses.txt has user addresses = userids (ezmlm could have a database
> doing address -> userid translation
> this _could_ be piped in using a fd other than stdin. ezmlm could also

It's okay to pass the email address to gpg.

> An option might be to keep the sender signature intact (when anonymity
> of sender is not important and it is important to recipients to know
> that the list has not tampered with the message contents.

It is possible to add more signatures to a message.

> The mailing list program would be responsible for rebuilding messages
> from the crude gpg 1x(encrypted-message), n x (pub-key encrypted

What I have to do is to change the sequence of the packets, but that is
trivial (but the output is not valid gpg message).

> A moderator checks all subscriptions and signs keys. Another part of
> the list assures that only subscriber keys that are signed by a
> moderator are accepted. If there are userIDs in addresses.txt with keys
> that haven't been signed by a moderator, those userIDs are ignored.

So we need a way to specifiy that a key must be signed by xxxxx;
this is reasonable because it avoids lengthly trust calculations. 

Hmmm, very complicated to put this all into the OpenPGP standard.



Werner