[dev] PGP keys for security at horde.org

Ralf Lang lang at b1-systems.de
Wed Jul 2 06:20:28 UTC 2014


On 01.07.2014 21:09, Vilius Sumskas/LNK wrote:
>>> Quoting Thomas Jarosch <thomas.jarosch at intra2net.com>:
>>>
>>>> Hi,
>>>>
>>>> given the recent development in world wide data snooping
>>>> of government agencies, I guess it would be a good idea
>>>> if there's a secure way to report issues to security at horde.org.
>>>>
>>>> Otherwise information about possible exploit vectors might fall
>>>> into the "wrong" hands before a fix is publicly released.
>>>>
>>>> We could define a set of PGP keys on 
>>>> http://wiki.horde.org/SecurityManagement
>>>> that could be used to report issues on the "security" email alias. Or 
> we
>>>> could create a distinct PGP key that's shared among a few trusted 
> people.
>>>>
>>>> Opinions?
>>>
>>> While I don't have any objections to creating a shared PGP key for 
>>> this purpose, there is really no way to enforce the use of sending 
>>> an encrypted email. This would require someone to search for, and 
>>> find, the keys to use. I just don't see the advantage if we can't 
>>> enforce it.
>>
>> Well, obviously the sender has to be aware that encryption might be a 
>> good idea. Chances are that people discovering vulnerabilities are 
>> aware of that.
>> Beside putting the the key(s) on the wiki/website, we would also 
>> upload it to a PGP keyserver. That's probably the first place where 
>> security aware people would look for public keys.
> 
> How about replacing email with HTTPS protected web form? Probably Ulaform 
> could be used for that? This would automatically enforce secure 
> communication by default.
> 

Forms are good, but if we want people to bother reporting, email should
be available. +1 for the PGP key. When it's on the public key servers,
people will find it.


-- 
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang at b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.horde.org/archives/dev/attachments/20140702/2754faad/attachment.bin>


More information about the dev mailing list