-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, Jan 06, 2011 at 02:05:29PM -0500, Michael Orlitzky wrote:
On 01/06/2011 06:54 AM, Christian Felsing wrote:
Am 04.01.2011 07:38, schrieb tomas@tuxteam.de:
The idea upthread (Jan-Frode) to keep a public key server-side and encrypt messages on arrival seems to me the way to go.
[...]
This still doesn't work, because the administrator is the one who tells the system to encrypt messages as they arrive. He can peek at the messages before they're encrypted with the user's public key.
Right. You just reduce the window of opportunity: if a system gets compromised, the attacker can just peek on newly arriving mail, not on already delivered mail.
It's impossible to hide the contents of a plain-text message from the person who receives it in plain text (the administrator). PGP/GPG is the only option.
You mean end-to-end? We are in violent agreement, then. Encryption-on-arrival is just a mitigation technique. Best is to get others to send me encrypted mail.
But the other techniques discussed here (e.g. having a Dovecot plugin decrypt the mails before serving) seem to me nearly useless (at least not worth the bother). Because at some point, this very plugin must have the key available in some unprotected form, and then whoever compromises the server can capture the key. So it wouldn't reduce signifcantly the area of vulnerability.
This all IMO, of course.
Regards
- -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD4DBQFNJsvcBcgs9XrR2kYRAqkyAJ45Fp3H89IpdPPLyetFkRL0bCj/wgCVFCb+ QSFw9PHqZvzgeX9qIqzIsw== =vPsq -----END PGP SIGNATURE-----