[dev] PGP keys for security at horde.org
Vilius Sumskas/LNK
vilius at lnk.lt
Tue Jul 1 19:09:04 UTC 2014
> > Quoting Thomas Jarosch <thomas.jarosch at intra2net.com>:
> >
> >> Hi,
> >>
> >> given the recent development in world wide data snooping
> >> of government agencies, I guess it would be a good idea
> >> if there's a secure way to report issues to security at horde.org.
> >>
> >> Otherwise information about possible exploit vectors might fall
> >> into the "wrong" hands before a fix is publicly released.
> >>
> >> We could define a set of PGP keys on
> >> http://wiki.horde.org/SecurityManagement
> >> that could be used to report issues on the "security" email alias. Or
we
> >> could create a distinct PGP key that's shared among a few trusted
people.
> >>
> >> Opinions?
> >
> > While I don't have any objections to creating a shared PGP key for
> > this purpose, there is really no way to enforce the use of sending
> > an encrypted email. This would require someone to search for, and
> > find, the keys to use. I just don't see the advantage if we can't
> > enforce it.
>
> Well, obviously the sender has to be aware that encryption might be a
> good idea. Chances are that people discovering vulnerabilities are
> aware of that.
> Beside putting the the key(s) on the wiki/website, we would also
> upload it to a PGP keyserver. That's probably the first place where
> security aware people would look for public keys.
How about replacing email with HTTPS protected web form? Probably Ulaform
could be used for that? This would automatically enforce secure
communication by default.
--
Vilius
More information about the dev
mailing list