[Fwd: Bugmail is less secure than Bug views]

Jason Pyeron jpyeron at pdinc.us
Tue Jun 12 13:44:59 UTC 2007


It has been a while since I have worked with S/MIME, it is really simple
stuff. There should be no need to depend on any new CPAN modules. Just find
a package that you can suck into bz and modify it to play nice.

What about*: http://www.mozilla.org/projects/security/pki/nss/smime/

* I have note read the code, but the text seems to fit.
 


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Sr. Consultant                    10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately.  Any other use of the email by you
is prohibited. 


-----Original Message-----
From: developers-owner at bugzilla.org [mailto:developers-owner at bugzilla.org]
On Behalf Of Gervase Markham
Sent: Tuesday, June 12, 2007 5:58
To: developers at bugzilla.org
Subject: Re: [Fwd: Bugmail is less secure than Bug views]

Max Kanat-Alexander wrote:
> 	Anybody who has an SSL cert and advertises TLS support on their
> mail server receives mail with SSL. They can also make their POP or IMAP
> connections with SSL.

This is true but, as someone commented on the security list, there's no 
way to enforce this. In a sense, it's optional rather than mandatory 
security. It also doesn't help if people have mail forwarding, or if 
they don't have control of their SMTP server (most people).

The way to do this would, I think, be to allow people to associate a 
S/MIME or PGP key with their account, which would then be used to 
encrypt all their bugmail where the bug was in one or more groups.

Sadly, none of these look ideal:
http://search.cpan.org/search?query=smime&mode=all
We need a library where we pass it the message text and the key, and get 
the encrypted text back. Most of them seem centred around files on disk.

Gerv
-
To view or change your list settings, click here:
<http://bugzilla.org/cgi-bin/mj_wwwusr?user=jpyeron@pyerotechnics.com>




More information about the developers mailing list