Differences

This shows you the differences between two versions of the page.

--- project:secure_remailer:start [2017/06/05 19:22] – ruza
+++ project:secure_remailer:start [2017/06/06 16:48] (current) – [Solutions] ruza
@@ Line 18: / Line 18: @@
 ==== Motivation ====
 We have an **contact email** where people can send sensitive info. We dont want to transfer such info unsecurely nor have stored anywhere where can be leaked later. This email addres is actually an alias whose membership is changing overtime. Only actual final recipients (ie brmlab council members) should be able to decrypt such email.
+==== Solutions ====
+=== GnuPG email/ML gateway ===
+Explore existing solutions like [[https://www.ciphermail.com/|Ciphermail]] or similar.
+=== New idea ===
 ^ recipient          ^ changes            ^ GPG keys          ^ validity                                      ^ Usage/purpose                               ^
@@ Line 23: / Line 31: @@
 | actual recipients  | once a year or so  | GnuPG subkey      | generated once a year,\\ valid for 15 months\\ could be revoked prematurely | recipients to decrypt email messages  |
-=== Known problems ===
+== Architecture components ==
-  * __public subkey distribution__ on **email sender** site - since subkey is generated with one year validity (technically 12-15 months) an email clients needs to refresh to currently valid keyring state at least once a year.
-  * __private subkey distribution__ on **email recipients** site - each time new subkey generated (Usually related to the list of newly elected board members) this new subkey needs to be distributed to board members
-  * Afaik in GnuPG there is no way how to generate an decrypt only subkey (key without signing capability). Since we have an requirement to decrypt email content for the purpose of storing it in the mailing list archive an receiving email server needs to hold a private subkey currently used. The question whether processing server should also keep expired subkeys could be a matter of discussion.
-==== Architecture components ====
-=== Email client ===
+== Email client ==
 An email client of the sender. Since we are expecting an heterogenous environment that consist of different email clients "public subkey distribution" evolves to be a known requirement or we could say a problem to be solved. An email client generates an email content in the following forms:
   * GnuPG **encrypted** email - encrypted against currently valid subkey
   * an **unencrypted** email - such email is not protected on its transfer
-=== Receiving email server ===
+== Receiving email server ==
 Email/SMTP server is receiving emails from email clients and encrypts them eventually (depending on the form of an email received). Following inputs are assumed:
   * **unencrypted** email
@@ Line 56: / Line 59: @@
 Authentication and autorization to the data archived on the filesystem level are realized using operating system user rights assignment and SSH remote access capabilities. Also possible access to the raw data by the virtual infrastructure provider should not be forgotten.
-=== Recipients ===
+== Recipients ==
 Recipient group consist of an organization board members or another small similarly defined user group. For the managing simplicity we didnt choose the way to reencrypt each incoming email to specific list of recipients instead of simply distribute private subkey to the recipients.
 Recipient always receives an mailing list processed emails in the form of GnuPG encrypted email and using private subkey to decrypt such email.
-=== Master keypair owners ===
+As we know in our situation (brmlab council mailing list) consist of:
+  * council members
+  * brmlab members interested in council activities
+== Master keypair owners ==
 Master keypair is not used in a day-to-day operation. Its purpose is to be a source of trust in case new subkey is released. Limited number of persons ("master key holders/owners") should be established (probably a couple). His/her role and responsibility is to hold whole keypair in a secure way, issue and distribute newly created subkey to the recipient group at the at the right time and do the appropriate steps in case some subkeys should be matter of a revocation.
-==== Solution ====
-<note>Due to a change in the idea on implementation and architecture the following text needs to be reworked.</note>
+== Known problems ==
+  * __public subkey distribution__ on **email sender** site - since subkey is generated with one year validity (technically 12-15 months) an email clients needs to refresh to currently valid keyring state at least once a year.
+  * __private subkey distribution__ on **email recipients** site - each time new subkey generated (Usually related to the list of newly elected board members) this new subkey needs to be distributed to board members
+  * Using [[wp>GnuPG]] expert mode there is possibility to generate **"encrypt only" subkey** (key without signing and authentication capabilities) [[https://www.sidorenko.io/blog/2014/11/04/yubikey-slash-openpgp-smartcards-for-newbies/|howto]]. Since we have an requirement to decrypt email content for the purpose of storing it in the mailing list archive an receiving email server needs to hold a private subkey currently used. The question whether processing server should also keep expired subkeys could be a matter of discussion. [[https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php|RSA Signing is Not RSA Decryption]]
+==== Old idea ====
+<note>Due to a change in the idea on implementation and architecture the following text needs to be reworked or proclaimed as not selected as a solution to be implemented.</note>
 Sender encrypts an email against Brmlab public GPG key. Email is delivered to an brmlab SMTP server, reencrypted by **GPG-remailer** to an up-to-date list of recipients (that is changed more frequently than contact email) and resent to them. Only actual and specific members can decrypt such message with his/her own private key.