> Discussed various mechanisms to make security vulnerability discussions > secure. Sending of security vulnerability reports to us could be done > securely with a simple HTTPS webapp. Alternatively, we could make an > official PGP public key available for sending in reports. There are two > options for securing discussions on the security mailinglist: > > - everybody uses the same PGP public/private keypair which expires, say, > after one year > - everybody uses personal PGP keys for communication: all need to have > the public keys of everyone else and each mail has to be encrypted once > for every recipient > > Agreed that the second option is better, if mail clients can be > configured to do multiple encryption automatically. Samuli promised to > check if Thunderbird + Enigmail supports this. Samuli also promised to > check if SF.net mailinglists could be used for the -security ml. > As promised, I did some digging... Thunderbird + Enigmail _should_ be able to encrypt messages using several public keys based on the target address (e.g. openvpn-secur...@lists.sourceforge.net):
<http://enigmail.mozdev.org/documentation/pgprules.php> I currently only have David's public PGP/GnuPG key - if somebody else cares to share his key, we could test if this works in practice. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
