Hi,
the requirement to use OpenPGP encryption has been somewhat annoying for me
personally in the past, especially because it did not allow me to read
mirror-related e-mails (sometimes relatively time-critical ones) on my
smartphone. This has happened to me on vacation in another country (I don't
have a laptop) and at the local university, during breaks that I could have
used to fix a problem if I had known which one it was.
Also, the information shared via encrypted e-mail about my mirror in any
direction has never been so confidential that encryption would have been
necessary in my opinion. I know that it is probably best to encrypt all
communication to prevent an attacker (e.g. NSA) from understanding which
e-mails are really interesting, but the cost of encryption has outweighed
the benefits for me so far.
What I'd absolutely keep, though, is the *signing* of e-mails. I need to be
able to check if a request has really been sent by the undersigning person.
If can be sure that the request is valid (e.g. "your server is down")
without verifying the OpenPGP signature, I might react directly (e.g.
restart the server) instead of verifying the signature. If I can't, I must
verify the signature.
Also, I hope that the same level of verification is applied when I send an
e-mail about my mirror. If I quote the sender's e-mail in my reply and
simply confirm fixing a problem, checking my signature might be
unnecessary. If I request the removal of my mirror from the pool, I really
hope that the request will be properly verified. If my signature is
missing, I hope that I'd be asked to provide a valid OpenPGP signature, a
message on my website or whatever else would be sufficient to identify me
as the sender of the request.
Sending and receiving encrypted e-mails is rather annoying, sending and
receiving signed e-mails is necessary, I'd say.
Best regards,
Tobias Frei
2016-03-04 20:18 GMT+01:00 intrigeri <intrigeri@???>:
> Hi,
>
> We'll soon be in a position to add more servers to the pool of HTTP
> mirrors that server our ISO images and IUKs. Before I publish the
> corresponding call for help, and get in touch with operators of
> potential fast mirrors (#11079), I'd like to make sure we get the
> requirements right.
>
> So far, we (or was it perhaps just me?) have insisted on having a way
> to communicate using OpenPGP with each operator of a HTTP mirror in
> our pool. I'm starting to question this. [In case anyone here didn't
> get that memo: yes, it often takes me years to change my mind.]
>
> This requirement has one clear disadvantage: it excludes some fast
> mirrors, e.g. lots of those that are run in universities (I have to
> trust people who are more in touch with operators of such candidate
> mirrors, on this one, as I have personally no idea). Also, on our side
> it adds to the burden of maintaining our pool of mirrors: maintaining
> a keyring isn't easy, and it gets quite hard if one wants to try to do
> it seriously.
>
> We are in the process of dropping at least another requirement of ours
> (the need for a dedicated hostname) that might have been a blocker, so
> I think it's time to check our list of requirements.
>
> I think the main advantages of requiring OpenPGP -enabled
> communication with mirror operators are:
>
> * We can authenticate requests sent to us by mirror operators: e.g.
> "please remove my mirror from the pool", that could otherwise be
> used to degrade our pool of mirrors, just by spoofing the sender
> address.
>
> - Are we seriously checking the OpenPGP signature on such requests?
> I used to do it, and used to require a good trust path for key
> updates, but I am under the impression that this might all have
> been handled in a more flexible way recently. sajolida?
>
> - Perhaps we would notice if too many mirrors were removed (this
> calls for a monitoring check, I guess), and perhaps mirror
> operators would notice if they don't get the traffic they expect?
> IOW, perhaps we have other ways to avoid such attacks from being
> effective enough to be attractive in the first place.
>
> * Mirror operators can authenticate instructions we send them, e.g.
> "please add this option to your nginx configuration". Without this,
> anyone can quite trivially DoS our pool of HTTP mirrors, until
> someone notices. The thing is, we have no idea if the operators of
> our mirrors check this, i.e. whether they would notice if some
> email apparently coming from us was not signed.
>
> * More?
>
> I'm now less convinced that these advantages are worth the drawbacks,
> and could be ready to drop the OpenPGP communication requirement.
>
> Thoughts?
>
> Cheers,
> --
> intrigeri
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to
> Tails-dev-unsubscribe@???.
>
