Bugzilla implementation of OpenPGP and Memory Hole (Was: Re: [oss-security] accepting new members to (linux-)distros lists)

[Kristian Fiskerstrand <k_f () gentoo org>]

[Changing subject as it has likely gone too off target with the previous
one]

On 07/03/2017 02:35 PM, Kristian Fiskerstrand wrote:
> On 07/02/2017 10:58 PM, Anthony Liguori wrote:
> > On Jul 2, 2017 1:38 PM, "Kristian Fiskerstrand"<k_f () gentoo org> wrote:
> > > The immediate thought that springs to mind is the [lack of OpenPGP
> > > support in bugzilla] which makes it difficult to ensure confidentiality
> > > unless disabling all email warnings.
> >
> > I would just assume all email is disabled.  I don't know of a tool that
> > does this right so for security sensitive things, I think disabling email
> > notification is a best practice.
>
> It wouldn't take much to have a tool that does, mainly what I outline in
> the previous post to ensure OpenPGP keyblock management for the
> individual users, and as an extension of the scope for that perhaps a
> [MemoryHole] implementation to ensure confidentiality / integrity
> verification of the RFC822 headers such as Subject. Enigmail users
> should already have such support read-only[Note:A]

Just to add that when I say read only here it goes to the encrypted
subject aspect of things (as, perhaps, inferred from the note). Enigmail
should already, by default, use MemoryHole for signed messages in
OpenPGP/MIME mode, which should be visible as a separate first MIME part
e.g of this email.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Attachment: signature.asc
Description: OpenPGP digital signature