[dev] PGP keys for security at horde.org
Jan Schneider
jan at horde.org
Tue Jul 1 17:14:41 UTC 2014
Zitat von Michael J Rubinsky <mrubinsk at horde.org>:
> Quoting Thomas Jarosch <thomas.jarosch at intra2net.com>:
>
>> Hi,
>>
>> given the recent development in world wide data snooping
>> of government agencies, I guess it would be a good idea
>> if there's a secure way to report issues to security at horde.org.
>>
>> Otherwise information about possible exploit vectors might fall
>> into the "wrong" hands before a fix is publicly released.
>>
>> We could define a set of PGP keys on
>> http://wiki.horde.org/SecurityManagement
>> that could be used to report issues on the "security" email alias. Or we
>> could create a distinct PGP key that's shared among a few trusted people.
>>
>> Opinions?
>
> While I don't have any objections to creating a shared PGP key for
> this purpose, there is really no way to enforce the use of sending
> an encrypted email. This would require someone to search for, and
> find, the keys to use. I just don't see the advantage if we can't
> enforce it.
Well, obviously the sender has to be aware that encryption might be a
good idea. Chances are that people discovering vulnerabilities are
aware of that.
Beside putting the the key(s) on the wiki/website, we would also
upload it to a PGP keyserver. That's probably the first place where
security aware people would look for public keys.
Jan.
--
Jan Schneider
The Horde Project
http://www.horde.org/
https://www.facebook.com/hordeproject
More information about the dev
mailing list