chris# chris# at codewarehouse.NET
Fri Jan 18 11:44:49 CET 2008

On Thu, 17 Jan 2008 07:17:59 -0800 (PST), Jason Fesler <jfesler at gigo.com> wrote:
>> I tend to think it is more a matter of using a mail host that you trust.
>> As in most of the cases where I've used gpg/pgp, it was server-side. I
>> mean really, if you can't trust them with your keys, why would you trust
>> them with your mail?
> It is less a matter of trusting the host, and more a matter of trusting
> one's government.  Hosts can be compelled to not provide any notification
> to you what they turn over.

Again, than your mail (and it's contents) will also be at risk. No?
A possible solution is to use a mail server in a region with a Government
you trust. Is that even possible? Is there such a Government?

> As to trusting a host with my provider, I worry less about that - that's
> what GPG is for (when both parties have the keys, not the server
> operators).

It seems also possible to store your keys in /your/ directory - assuming
almost anything but pop-only mailservice. Also, if the server already
has the gpg/pgp binary, than it is merely a matter of telling it where your
key is to sign your mail, on an "as needed" basis. Hell, it could even be
a matter of uploading it from your own computer to the server on an
"as needed" basis.

> The only case where I could see round cube implementing gpg fully on
> server side is where the user is also the operator.  That still leaves
> keys being stored on a multiuser server, but at least he'd know if he was
> served an order.

That should be reasonable, given that your mail is also stored there. I
mean, if you can't trust the provider to separate user space, you cannot
trust them with your mail, or anything else.

> Oh well, off my soap box.  Implement what you want.  I just hope any
> README or whatever includes some paranoia.

I agree, but as much should be said about /anything/ where public
communication is involved. Is there really /any/ public communication
that is 100% safe and secure. ;)

Service provided by hitOmeter.NET internet messaging!

List info: http://lists.roundcube.net/dev/

More information about the Dev mailing list