<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi,</p>
<p>So I have a bare minimum prototype here:
<a class="moz-txt-link-freetext" href="https://gitweb.torproject.org/admin/trac/trac-email.git/tree/notify.py">https://gitweb.torproject.org/admin/trac/trac-email.git/tree/notify.py</a></p>
<p>But I have started thinking that maybe this shouldn't be a simple
script parsing emails. Maybe I am over-thinking this but I am
seeing a need in having a service that can perform basic
cryptographic verification and small integrations. I will list a
few examples:</p>
<p>1. Trac email interface to open and reply to tickets.</p>
<p>2. Trac authentication for xmprpc (better than just http auth)</p>
<p>3. Encrypted mailing lists</p>
<p>What I am outlining here is a simple service where, for example,
we can send a signed request via REST APIs and perform some
actions.</p>
<p>So for example 1 the service will check an email account and
verify signatures to open/reply to trac tickets.</p>
<p>For example 2 there will be an API endpoint where we can send a
signed request to interact with trac (better than http auth which
is the standard for xmlrpc plugin).</p>
<p>Example 3 involves people sending encrypted emails w/ the server
key, and the server decrypting the email, encrypting with the
participant keys and sending the encrypted emails. In this case I
wouldn't reinvent the wheel and I would opt for integrating w/
schleuder (<a class="moz-txt-link-freetext" href="https://git.codecoop.org/schleuder/schleuder3/">https://git.codecoop.org/schleuder/schleuder3/</a>). - Note
I am aware of the GPG 2 requirement and haven't fully considered
this just yet ;)</p>
<p>Thoughts? Ideas? <br>
</p>
<p>- s<br>
</p>
<div class="moz-cite-prefix">On 13/12/16 13:20, Silvia [Hiro] wrote:<br>
</div>
<blockquote
cite="mid:3bf2ffcc-ff23-7fbd-66c1-a194d907f830@torproject.org"
type="cite">
<pre wrap="">Apologies, I was eager to get some feedback and forgot to mention that
the intention was to get rid of the perl part and move verification into
and trac ticket management into the same script.
I am now managing the trust part of the signature verification (
<a class="moz-txt-link-freetext" href="https://gitweb.torproject.org/admin/trac/trac-email.git/">https://gitweb.torproject.org/admin/trac/trac-email.git/</a>
), but still heavy WIP.
Will ask for feedback when I have a more complete prototype, so it is
more clear how I want this to work.
-s
On 12/12/16 23:29, Peter Palfrader wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Mon, 12 Dec 2016, Silvia [Hiro] wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I have shared the first version here:
<a class="moz-txt-link-freetext" href="https://gitweb.torproject.org/admin/trac/trac-email.git/">https://gitweb.torproject.org/admin/trac/trac-email.git/</a>
You will find procmail config, perl script verifying gpg signature (very
simple), python script to verify user permissions and create/update trac
tickets (still WIP).
Looking forward to get more feedback on the proposed changes.
</pre>
</blockquote>
<pre wrap="">I just glanced at it briefly, but the verify script has me worried. It
uses Perl without 'use strict', nowadays open() really should use >= 3
arguments, and I am not convinced the script actually verifies that the
entire mail is signed.
Also, you can't reliably cont on the exit code of gpg for verifying
signatures.
Cheers,
</pre>
</blockquote>
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
tor-project mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tor-project@lists.torproject.org">tor-project@lists.torproject.org</a>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project</a>
</pre>
</blockquote>
<br>
</body>
</html>