[147767] in cryptography@c2.net mail archive
Re: [Cryptography] Mail Lists In the Post-Snowden Era
daemon@ATHENA.MIT.EDU (Christian Huitema)
Sun Oct 20 13:32:31 2013
X-Original-To: cryptography@metzdowd.com
From: "Christian Huitema" <huitema@huitema.net>
To: "'Jerry Leichter'" <leichter@lrw.com>,
<cryptography@metzdowd.com>
In-Reply-To: <B8751F45-4115-45A5-A6EA-F13AFA3681CE@lrw.com>
Date: Sun, 20 Oct 2013 10:27:53 -0700
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
> So what would a reasonable security model for the Cryptography list look
like? Is it inherently just an open discussion? Or could we come up with
> something else? If we can do more, what kind of software would be needed
to make it as free-flowing and easy to participate in and manage as
> the current list?
I know of several attempts to do that, and the conclusion always seems to be
that e-mail is not the right tool for this job, and that specialized
bulletin boards are much easier to deploy.
It is pretty clear that end-to-end e-mail encryption using PGP or S-MIME
does not work for large groups. You end up having to solve the "distribution
of the key to a large group," which is a variant of "sharing a secret with a
large number of people," pretty much an oxymoron. If you want a solution
that can actually be deployed, you have to send securely to the mail
reflector, and have the mail reflector send securely to each subscriber.
That could be done, but still would not solve "anonymous posting."
It would be much easier to switch to a bulletin board format. Imagine
something like Slashdot, but with authenticated TLS access to the server.
Once a subscriber is authenticated, they get the option to post anonymously.
All subscribers can read the messages with a web interface. Clearly that
puts a lot of trust in the server, but no more trust than we put in the
current e-mail reflectors. If you place the server in a country with
appropriate privacy laws, and if the server management can be audited by
some trusted subset of the community, you should be good.
-- Christian Huitema
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
