Mailman-Reencrypt 0.09-prealpha

2007-05-14 11:56 - coding security

I was trying to figure the best way of using a company-owned GPG/PGP key to decrypt inbound confidential communications arriving at a group inbox without giving each user the private key for the company key. The solution had previously been devised by Mr. Bad <mr.bad@pigdog.org> in the form of a Mailman filter named mmreencrypt – however, the script was written in 2000 and Mailman’s APIs have changed in such a manner as to render mmreencrypt incompatible. The idea is to decrypt and immediately re-encrypt to all list recipients’ individual keys.

I’ve devoted some of this past weekend to porting it to work with Mailman 2.1.9; the retitled project is now named Mailman-Reencrypt and is available from http://www.ctyalcove.org/~elizabeth/Reencrypt.py (sig) – it remains under the GPL as a derivative work. I’ve bumped the version number up to 0.09-prealpha from 0.06.

Features:

Correctly works with Mailman 2.1.9
Passes through non-encrypted content unchanged.
Decrypts messages with list key and re-encrypts to individual members’ keys, signed with the list key for verifiability

Bugs:

Clobbers any non-encrypted content in messages containing encrypted content.
Does not include support for decrypting attachments at present and will clobber them.
Does not support decrypting multiple encrypted blocks
Does not preserve signature information from original message or assert that message was signed when originally received in reencrypted message.
Undefined behavior if the message is encrypted to a key which is not the list private key.
Fails if mailing list recipient public keys are not all in the database and signed (can be non-exportable) by the list private key.
Discloses all recipient key id’s since messages are not individually encrypted to one recipient at a time.