[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: [Meta] Mailing list suggestion: PGP encryption
- From: "Soni \"They/Them\" L." <fakedme@...>
- Date: Tue, 17 Nov 2020 14:25:01 -0300
On 2020-11-17 2:09 p.m., Gé Weijers wrote:
> On Tue, Nov 17, 2020 at 4:35 AM Soni "They/Them" L. <fakedme@gmail.com> wrote:
> >
> > There should be a way to configure the mailing list to encrypt mailing
> > list messages (preferably with multiple keys, as ppl tend to have
> > multiple devices, or even multiple keys per device for anonymization
> > purposes). There should be a way to configure the mailing list to
> > decrpyt mailing list messages (this one could use one mailing list key
> > for all senders altho ideally at least one key per sender would be
> > best). These would allow mailing list subscribers to opt-out of
> > "external sender" in subject lines, increasing the list's
> > signal-to-noise ratio by eliminating noise. (We don't know of any
> > mailing list software that supports PGP tho, but we do get slightly
> > annoyed by this stuff.)
>
> The "[EXTERNAL SENDER]" stuff is added by an employer's mail system
> (or a service provider on their behalf), it's intended to make
> phishing harder by notifying the recipient that the email originated
> from outside the company, there's not a whole lot you can do about
> that in mailing list software. I get those at my place of work.
>
> I don't see how encryption (PGP/GPG or otherwise) is relevant here,
> this is a public mailing list. Signing messages would make more sense,
> but there is no reliable certificate distribution system that can't be
> subverted by "public/private partnerships" (i.e. criminals that
> cooperate with intelligence agencies at times) that perform many of
> the phishing attacks these days.
>
PGP would help because it would look as sent from the list to any email
software snooping in the middle.
Instead, the actual headers and message would be encrypted, only for the
user to see. In other words, completely evading the MITM.
We don't need certificate distribution. Just log in to the list web
interface and paste your public keys there, etc.