Hi,
So I have a bare minimum prototype here: https://gitweb.torproject.org/admin/trac/trac-email.git/tree/notify.py
But I have started thinking that maybe this shouldn't be a simple script parsing emails. Maybe I am over-thinking this but I am seeing a need in having a service that can perform basic cryptographic verification and small integrations. I will list a few examples:
1. Trac email interface to open and reply to tickets.
2. Trac authentication for xmprpc (better than just http auth)
3. Encrypted mailing lists
What I am outlining here is a simple service where, for example, we can send a signed request via REST APIs and perform some actions.
So for example 1 the service will check an email account and verify signatures to open/reply to trac tickets.
For example 2 there will be an API endpoint where we can send a signed request to interact with trac (better than http auth which is the standard for xmlrpc plugin).
Example 3 involves people sending encrypted emails w/ the server key, and the server decrypting the email, encrypting with the participant keys and sending the encrypted emails. In this case I wouldn't reinvent the wheel and I would opt for integrating w/ schleuder (https://git.codecoop.org/schleuder/schleuder3/). - Note I am aware of the GPG 2 requirement and haven't fully considered this just yet ;)
Thoughts? Ideas?
- s
On 13/12/16 13:20, Silvia [Hiro] wrote:
Apologies, I was eager to get some feedback and forgot to mention that the intention was to get rid of the perl part and move verification into and trac ticket management into the same script.
I am now managing the trust part of the signature verification (
https://gitweb.torproject.org/admin/trac/trac-email.git/
), but still heavy WIP.
Will ask for feedback when I have a more complete prototype, so it is more clear how I want this to work.
-s
On 12/12/16 23:29, Peter Palfrader wrote:
On Mon, 12 Dec 2016, Silvia [Hiro] wrote:
I have shared the first version here: https://gitweb.torproject.org/admin/trac/trac-email.git/
You will find procmail config, perl script verifying gpg signature (very simple), python script to verify user permissions and create/update trac tickets (still WIP).
Looking forward to get more feedback on the proposed changes.
I just glanced at it briefly, but the verify script has me worried. It uses Perl without 'use strict', nowadays open() really should use >= 3 arguments, and I am not convinced the script actually verifies that the entire mail is signed.
Also, you can't reliably cont on the exit code of gpg for verifying signatures.
Cheers,
tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project