www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: Secure submission of sensitive data to committees/entities
Date Thu, 24 Apr 2014 18:35:17 GMT
On 23 April 2014 18:18, Daniel Gruno <rumble@cord.dk> wrote:
> Hello, infra-dev lurkers,
>
> As was seen in the latest board report (should be public in about a
> month, if you're not on the infra ML), there was a request from several
> people at ApacheCon for infra to create a tool that automates secure
> submission of data of a sensitive nature to PMCs or other entities in
> the foundation, and we'd like some feedback on this.
>
> We have put up a solution for this at https://secsubmit.apache.org/ that
> does the following:
>
> 1) Jane Doe has something sensitive she wishes to share with the PMC and
> only the PMC (or another entity within the ASF)
> 2) Jane visits SecSubmit
> 3) Jane selects project Foo
> 4) Jane enters the data she'd like to send
>
> 5) The site fetches the PGP keys associated with members of this PMC
> 6) The site composes an email to the PMC/entity
>
> 7.a) The site encrypts this using the PGP keys and sends it to
> private@foo.apache.org (or security@ if applicable)
> 7.b) In cases of security issues (exploits etc), the Apache Security
> Team is also CC'ed and their keys are coupled in.
> 7.c) The site also informs the PMC/entity about the current PGP status
> of the respective PMC/entity (how many have valid keys etc)
>
> This process can already be done manually by anyone, this site simply
> automates it, making it easier to send encrypted information to an
> Apache entity.
>
> Note: Currently, the submissions end up in my inbox, it is not enabled
> for projects yet. We'd like some feedback before we activate the service
> for the public. If you'd like to see the end result of a submission,
> please ping me on #asfinfra, and I can flip some bits to make it land in
> your inbox.
>
> Also note that this is NOT a replacement for security@. If people use it
> for submitting security flaws, so be it, but the original intent is to
> make it easier to submit confidential information of any character to a
> PMC or other entity in the ASF, whether it be a bug, someone dying of
> cancer or what have you, and be assured that only the PMC can read it,
> even in cases of compromised email transport or clients.
>
> What do you think? Is this something you could imagine using (or imagine
> others could use), or is it simply a waste of space?

I can see that it could be very convenient for the sender.

But I suspect some of the recipients may not be expecting encrypted
mail and may not know how to deal with it, so I think there would need
to be clear instructions posted somewhere on how to proceed, ideally
with a link in clear text in the mail. Otherwise infra may have to
deal with lots of FAQs...

Also, how are PMC members supposed to co-operate on dealing with such a mail?
Perhaps by using the same system for follow-ups?
Any unencrypted discussions on the private@list would need to be very
careful not to expose the content of the mail inadvertently.

> If there are questions about how the current set-up works, I'd be happy
> to explain it in more detail.

For e-mail addressed to the PMC, would it be sent to the PMC mailing
list or to individual members?

It would be useful if a PMC member could find out who else had been
sent the mail (and who can potentially decrypt it) so they can
co-operate on dealing with it.

With any system that allows web-mail, there is the possibility that it
will be used for sending junk - are there any safeguards against this?

Is there a way to authenticate the sender?

> With regards,
> Daniel.

Mime
View raw message