[Fwd: Bugmail is less secure than Bug views]

Jason Pyeron jpyeron at pdinc.us
Wed Jun 13 19:10:14 UTC 2007


From: developers-owner at bugzilla.org [mailto:developers-owner at bugzilla.org]
On Behalf Of Gervase Markham
Jason Pyeron wrote:
> It has been a while since I have worked with S/MIME, it is really simple
> stuff. There should be no need to depend on any new CPAN modules. Just
find
> a package that you can suck into bz and modify it to play nice.
> 
> What about*: http://www.mozilla.org/projects/security/pki/nss/smime/
> 
> * I have note read the code, but the text seems to fit.

For one thing, that requires all the keys to be stored in an NSS-style 
database. I had hoped we could find something that worked like this:

$encryped_message = encrypt($message, $key);

with $key being whatever was pasted in plain text form into the "Insert 
Key Here" textbox on the profile page.



What I was saying, was to do just that, absorb the core S/MIME part that
does the mime parsing and sign/encryption.

Then each/any user would add their x509 public cert in their profile select
encrypt or sign on all messages


send(encrypt(sign(msg,bz.prvkey),user.pubkey))

Or 

sign(msg,bz.prvkey)

There really is nothing to it, I just wish I had more time.




More information about the developers mailing list