Developers of Sympa

[Christian Mock <address@concealed>]

hi,

a customer is asking me to implement PGP support in sympa, so I wrote up
the following, and would like to ask you for comments -- did I ignore
any potential show-stoppers? does anybody think that my expectation to
get it done in two weeks is unrealistic?

regards,

cm.

support for PGP in sympa

- requirements:

signing and encryption, same as with S/MIME.

must support both MIME (RFC2015/3156) and classic ascii-armored PGP;
auto-detection on reception (easy), per-user setting on sending
(default is set by the type of the first received PGP mail).

optionally only accept keys that are trusted, to be able to implement
something like the list of trusted CAs for S/MIME; use PGP's trust
chain mechanisms for that.

on a list with both PGP and S/MIME members, there's no way for a
recipient to check the signature on a mail signed with the other
standard. this means that signed mails going out to recipients which
use the other standard, the list key must sign those mails to provide
"proxy signing" -- sympa checked the signature and found it valid and
"certifies" this with it's signature. original signature is left
intact.


- problems:

proxy signing: how to keep the original signature intact when sending
an originally MIME message to a PGP/ascii recipient? convert to text
and sign that?

users must send their PGP keys manually (as opposed to S/MIME where
the cert is automatically included) so sympa has the public key; this
means on subscription to a signature-requiring list, sympa must check
it has the user's key. add a new command? autodetect
application/pgp-keys and BEGIN PGP PUBLIC KEY BLOCK?

list needs two keys: RSA and DSS, for the incompatible PGP versions
(2.x doesn't do DSS, 5.x doesn't RSA).

compatibility testing with all those subtly different PGP versions out
there could be interesting.

no way to authenticate for the web interface via PGP. we ignore this,
because (as opposed to popular MUAs) all web browsers support X.509
certs, so the user just has to get one for that purpose (if he needs
the web interface).


-- 
Christian Mock                          Wiedner Hauptstrasse 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273