[Mimedefang] Scary... Filtering on the outbound.
Richard Laager
rlaager at wiktel.com
Mon Feb 21 14:19:32 EST 2005
On Mon, 2005-02-21 at 13:33 -0500, David F. Skoll wrote:
> Actually, I see that as a huge issue. If the key is ever compromised,
> then every piece of e-mail you've ever sent out is vulnerable to
> decryption. That makes the MIMEDefang machine a very tempting target.
This can be mitigated by creating several encryption subkeys up front.
(This would be done on a secure, unconnected machine.) Each key would be
valid for a specific chunk of time. Then, only install the first on the
server.
Near the expiration date, add the second subkey. A little while after
the expiration date, remove the first. Repeat this as the subkeys
expire. In this way, a compromise would only affect the messages from
one chunk of time (or two in the worst-case scenario when it's
compromised during the overlap around the expiration date). This does
assume that you catch the compromise in a timely fashion. If you wanted
to be absolutely sure about that, you could switch the mail server
functions over to a freshly installed and patched machine every time you
switched subkeys.
The messages could be archived in encrypted form. Assuming you use the
commercial version of PGP, the secret sharing stuff could be used to
ensure that the archived messages could only be read when authorized by
the appropriate person(s). If you're using GnuPG or something else, then
secret sharing isn't really available, but there are other ways of
accomplishing much the same thing.
Richard Laager
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20050221/8a2f63a5/attachment.sig>
More information about the MIMEDefang
mailing list