[Cryptography] encrypted list mail, was FW: IAB Statement

Bill Frantz frantz at pwpconsult.com
Sat Nov 22 20:05:21 EST 2014

On 11/22/14 at 10:26 AM, barney at databus.com (Barney Wolff) wrote:

>On Fri, Nov 21, 2014 at 10:48:56PM -0800, Bill Frantz wrote:
>>The one encrypted list I have used used PGP. Everyone on the 
>>list had a copy of the list's secret key. Everyone encrypted 
>>to the matching public key. Its UI was as good as PGP. :-)
>I'm baffled.  You didn't trust the list server with the plaintext, but
>you trusted every list member's computer?  So why didn't you use one of
>them as the list server?

Just to be clear, it wasn't my list anymore than this list is my 
list. I have no idea what authorization the list server machine had.

Everyone who was invited to join the list was authorized to read 
list traffic. Men in the middle, eavesdroppers etc. were not. 
The decryption key, which was in fact a PGP secret key, was 
shared with everyone authorized to read the traffic.

Note that some of the advantages of this system are:

  * No special software, just PGP and a mail list daemon.
  * No extra load on the list server. It just forwards messages.
  * Messages in the list archive are encrypted.
  * If the list server needs to read messages, it can be given a 
copy of the key.

Disadvantages include:

  * New keys need to be distributed when people lose their list authorization.
  * One can forget to encrypt a message and send it in the clear.
  * Messages in the list archive are encrypted, making search harder.

If one wants to have an unencrypted list archive, one could 
modify the list daemon software to decrypt the messages before 
putting them in the archive. You would probably want to control 
access to the archive with HTTPS and a logon. And you would lose 
the advantage of standard software.

In fact the system worked quite well.

Cheers - Bill

Bill Frantz        | "I wish there was a knob on the TV to turn 
up the
408-356-8506       | intelligence.  There's a knob called 
"brightness", but
www.pwpconsult.com | it doesn't work. -- Gallagher

More information about the cryptography mailing list