Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Re: [suse-security] signing mails
  • From: suse@xxxxxx
  • Date: Fri, 5 Mar 2004 10:59:08 -0500
  • Message-id: <20040305105908.dv83as8gskgkswo8@xxxxxx>
Quoting dproc <dproc@xxxxxxx>:
> (1) malicious person or malware could pre-register a key as easily as
> they can send mail to the list

This is absurd. None of these attacks are directed at the list specifically.
They're just massmailing worms. Adding the key to the listserver would have to
be done manually, and is just not something the massmailing script kiddies are
interested in.

We're not trying to prevent someone from specifically attacking the list, but
just trying to avoid the collateral damage and windows fallout from mass
mailing exploits.

> (2) honest person with useful info for list members often will not have
> access to the signing key (or even to openpgp software) at the machine
> they send mail from.

This is more likely and a valid concern. Whether to move to such a system
really depends on just how annoying these massmailings get. Much like e-mail
blacklists, there is a certain point when they simply must be implemented, no
matter how much we'd rather not.

Perhaps something simpler is in order. We could require everyone to put a "#"
at the end of the Subject string? Spammers and mass mailing worms won't know
to put it in, and does not require any special software on posters machines.
Replies to the list wouldn't even need to add it, as it would already be there
from the previous post.

< Previous Next >