lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Tue, Nov 17, 2020 at 9:11 AM Gé Weijers <> wrote:
On Tue, Nov 17, 2020 at 4:35 AM Soni "They/Them" L. <> wrote:
> There should be a way to configure the mailing list to encrypt mailing
> list messages (preferably with multiple keys, as ppl tend to have
> multiple devices, or even multiple keys per device for anonymization
> purposes). There should be a way to configure the mailing list to
> decrpyt mailing list messages (this one could use one mailing list key
> for all senders altho ideally at least one key per sender would be
> best). These would allow mailing list subscribers to opt-out of
> "external sender" in subject lines, increasing the list's
> signal-to-noise ratio by eliminating noise. (We don't know of any
> mailing list software that supports PGP tho, but we do get slightly
> annoyed by this stuff.)

The "[EXTERNAL SENDER]" stuff is added by an employer's mail system
(or a service provider on their behalf), it's intended to make
phishing harder by notifying the recipient that the email originated
from outside the company, there's not a whole lot you can do about
that in mailing list software. I get those at my place of work.

I don't see how encryption (PGP/GPG or otherwise) is relevant here,
this is a public mailing list. Signing messages would make more sense,
but there is no reliable certificate distribution system that can't be
subverted by "public/private partnerships" (i.e. criminals that
cooperate with intelligence agencies at times) that perform many of
the phishing attacks these days.

But PGP *does* do clear text signing?  You run pgp over the message and it produces a hash that can be verified with a public key. That isn't something the server would do though, that would be something that a user does prior to sending the message, including the message hash. I am pretty sure GNUPGP also contains server software for distributing public keys. The problem with this is that the burden is on the users to A) Use it and B) Use it correctly, consistently.

I suppose if you wanted to verify the *mail server*, you could write a mime service that hashes all the messages that it receives (with it's private key) and includes the hash in the mime header? The public key could be distributed via a webpage for people that care?