Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120204034839.GA19843@openwall.com>
Date: Sat, 4 Feb 2012 07:48:39 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: distros & linux-distros embargo period and message format

On Fri, Feb 03, 2012 at 10:00:24PM -0500, Michael Gilbert wrote:
> On Fri, Feb 3, 2012 at 8:45 PM, Solar Designer wrote:
> > Yet the delay itself matters too.  There are different opinions as to
> > whether it is "the important aspect" or not.
> 
> That's why I think its more appropriate to defer such decisions to the
> researcher who understands the complexity of the problem at hand (of
> course hopefully allowing negotiation with those affected to choose a
> disclosure date that can be met).

That's what we have now, right?

> > [...] I need a tool - a program to mass-decrypt a
> > PGP/MIME mbox, producing another mbox.  I think such a program might be
> > generally useful.  Well, or alternatively I need to introduce a
> > different mechanism for the archive - not treat it as a regular
> > subscriber like I intended to.
> 
> Completely unfleshed out, but a pseudo-bash script along the lines of
> the following should do it:
> 
>   echo "" > newmbox
>   gpg-agent --allow-preset-passphrase
>   /usr/lib/gnupg2/gpg-preset-passphrase --preset <cache id>
>   cat mbox | while read line; do
>       test <header> && echo $line >> /tmp/header
>       test <body> && echo $line >> /tmp/body
>       if [ <end off body> ]; then
>           cat /tmp/header >> newmbox
>           cat /tmp/body | gpg --decrypt >> newmbox
>       fi
>   done
>   /usr/lib/gnupg2/gpg-preset-passphrase --forget
> 
> Obviously a bit more work there to figure out appropriate conditionals
> to put in the angle brackets.

Unless I am missing something, this doesn't handle MIME at all - so it
won't do the trick.

I was thinking of building something upon Mutt in its entirety (e.g.,
talk to it with expect) or upon pieces of code from Mutt (since it
handles such mbox'es just fine) or maybe upon my own mbox and MIME
parsing code from blists (but add the gpg invocations to it myself).

Alternatively, I could in fact make the list archive recipient special
such that there would be no MIME at that level - re-encrypt entire
already-decrypted messages to the archive key such that the resulting
messages are no longer valid for viewing with a MUA, but such that we
can decrypt them again easier (without parsing MIME).  This might be
less code to write.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.