asterisk users - Jan 2009 - Security communication dilemma: your help needed

Dilemma: Digium will sometimes receive requests to send GPG-encrypted  
mail dealing with security issues.  This works somewhat poorly for  
email role accounts where there are multiple recipients on a single  
address.  If there exists a better way to do this that doesn't involve  
a lot of customization, let me know and we'll see if it will do the  
right thing, otherwise we'll continue with the functional but somewhat  
awkward current method.

Current procedure: An individual will reply back, and create a 1:1  
signed exchange with the original correspondent.  Then, the Digium  
staffer will relay the data (with relevant GPG keys) to each other  
Digium staff member who may be involved.

Desired procedure:  A public key signature method would be publicly  
available via an SSL web page or various keyservers.  Individuals  
could sign messages with the public key.  Signed messages sent to  
"security@" would then be decrypted, and re-encrypted with the  
security@ key and sent to the small list of end recipients.  Any  
recipients who replied back to the message would have the process  
happen in reverse, and also have copies if the reply sent (encrypted)  
to the other members of this email "exploder" as well as the external
author.

Summary: Has anyone implemented a "B2BUA" for GPG-signed email?

JT

---
John Todd                       email:jtodd at digium.com
Digium, Inc. | Asterisk Open Source Community Director
445 Jan Davis Drive NW -  Huntsville AL 35806  -   USA
direct: +1-256-428-6083         http://www.digium.com/

On Fri, Jan 09, 2009 at 04:05:01PM -0500, John Todd
wrote:
> 
> 
> Dilemma: Digium will sometimes receive requests to send GPG-encrypted  
> mail dealing with security issues.  This works somewhat poorly for  
> email role accounts where there are multiple recipients on a single  
> address.  If there exists a better way to do this that doesn't involve
> a lot of customization, let me know and we'll see if it will do the  
> right thing, otherwise we'll continue with the functional but somewhat
> awkward current method.
> 
> Current procedure: An individual will reply back, and create a 1:1  
> signed exchange with the original correspondent.  Then, the Digium  
> staffer will relay the data (with relevant GPG keys) to each other  
> Digium staff member who may be involved.
> 
> Desired procedure:  A public key signature method would be publicly  
> available via an SSL web page or various keyservers.  Individuals  
> could sign messages with the public key.  Signed messages sent to  
> "security@" would then be decrypted, and re-encrypted with the  
> security@ key and sent to the small list of end recipients.  Any  
> recipients who replied back to the message would have the process  
> happen in reverse, and also have copies if the reply sent (encrypted)  
> to the other members of this email "exploder" as well as the
external
> author.
The output of this is a keyring, that you can later import to your own
personal keyring. See also the Debian package debian-maintainers for a
slightly different approach.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

John Todd wrote:
> Desired procedure:  A public key signature method would be publicly  
> available via an SSL web page or various keyservers.  Individuals  
> could sign messages with the public key.  Signed messages sent to  
> "security@" would then be decrypted, and re-encrypted with the  
> security@ key and sent to the small list of end recipients.  Any  
> recipients who replied back to the message would have the process  
> happen in reverse, and also have copies if the reply sent (encrypted)  
> to the other members of this email "exploder" as well as the
external
> author.
Actually, a slight clarification is in order.

Let's assume for the moment that the security@ role is actually serviced
by developers A, B, C and D (not necessarily all Digium employees, but
Asterisk developers). Let's also assume that third-party X wants to send
a secure vulnerability report.

1) X retrieves the security@ public key from a reliable source; this key
would be countersigned by a large number of Asterisk developers to
ensure its authenticity.

2) X would compose their message, attach their GPG public key, digitally
sign the message using their GPG private key, then encrypt the entire
message using the security@ public key.

3) The message would be received by this super-duper email alias
processor, which would then (because it has the security@ private key),
decrypt the message, verify the signature from X, then store X's public
key in a local database along with some sort of thread ID for this
conversation.

4) The processor would then re-send the message to A, B, C and D, in
each case signing the message using the security@ public key and
encrypting it using the recipient's public key, so each copy of the
message leaving the processor can only be read by the recipient.

5) If A, B, C or D responds to the message (back to the security@
processor), they would also sign/encrypt their response, and the same
process would occur. However, since the processor would have the thread
ID (presumably in a References or In-Reply-To header in the reply), it
would also include X in the distribution of the reply, encrypting the
message using X's stored public key.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
skype: kpfleming | jabber: kpfleming at digium.com
Check us out at www.digium.com & www.asterisk.org