oss-sec mailing list archives

Re: distros & linux-distros embargo period and message format

From: Solar Designer <solar () openwall com>
Date: Sat, 4 Feb 2012 07:48:39 +0400

On Fri, Feb 03, 2012 at 10:00:24PM -0500, Michael Gilbert wrote:

On Fri, Feb 3, 2012 at 8:45 PM, Solar Designer wrote:

Yet the delay itself matters too.  There are different opinions as to
whether it is "the important aspect" or not.


That's why I think its more appropriate to defer such decisions to the
researcher who understands the complexity of the problem at hand (of
course hopefully allowing negotiation with those affected to choose a
disclosure date that can be met).


That's what we have now, right?

[...] I need a tool - a program to mass-decrypt a
PGP/MIME mbox, producing another mbox.  I think such a program might be
generally useful.  Well, or alternatively I need to introduce a
different mechanism for the archive - not treat it as a regular
subscriber like I intended to.


Completely unfleshed out, but a pseudo-bash script along the lines of
the following should do it:

  echo "" > newmbox
  gpg-agent --allow-preset-passphrase
  /usr/lib/gnupg2/gpg-preset-passphrase --preset <cache id>
  cat mbox | while read line; do
      test <header> && echo $line >> /tmp/header
      test <body> && echo $line >> /tmp/body
      if [ <end off body> ]; then
          cat /tmp/header >> newmbox
          cat /tmp/body | gpg --decrypt >> newmbox
      fi
  done
  /usr/lib/gnupg2/gpg-preset-passphrase --forget

Obviously a bit more work there to figure out appropriate conditionals
to put in the angle brackets.


Unless I am missing something, this doesn't handle MIME at all - so it
won't do the trick.

I was thinking of building something upon Mutt in its entirety (e.g.,
talk to it with expect) or upon pieces of code from Mutt (since it
handles such mbox'es just fine) or maybe upon my own mbox and MIME
parsing code from blists (but add the gpg invocations to it myself).

Alternatively, I could in fact make the list archive recipient special
such that there would be no MIME at that level - re-encrypt entire
already-decrypted messages to the archive key such that the resulting
messages are no longer valid for viewing with a MUA, but such that we
can decrypt them again easier (without parsing MIME).  This might be
less code to write.

Alexander

Current thread:

Re: distros & linux-distros embargo period and message format, (continued)
- - - Re: distros & linux-distros embargo period and message format Kurt Seifried (Feb 01)
    - Re: distros & linux-distros embargo period and message format Solar Designer (Feb 01)
    - Re: distros & linux-distros embargo period and message format Kurt Seifried (Feb 01)
    - Re: distros & linux-distros embargo period and message format Marc Deslauriers (Feb 01)
    - Re: distros & linux-distros embargo period and message format Solar Designer (Feb 01)
    - Re: distros & linux-distros embargo period and message format Kurt Seifried (Feb 01)
    - Re: distros & linux-distros embargo period and message format Solar Designer (Feb 01)
    - Re: distros & linux-distros embargo period and message format Michael Gilbert (Feb 03)
    - Re: distros & linux-distros embargo period and message format Solar Designer (Feb 03)
    - Re: distros & linux-distros embargo period and message format Michael Gilbert (Feb 03)
    - Re: distros & linux-distros embargo period and message format Solar Designer (Feb 03)
    - Re: distros & linux-distros embargo period and message format Michael Gilbert (Feb 03)
    - Re: distros & linux-distros embargo period and message format Solar Designer (Feb 03)
  - Re: distros & linux-distros embargo period and message format Thomas Klausner (Feb 01)
    - Re: distros & linux-distros embargo period and message format Solar Designer (Feb 01)