On Thu, 17 Jan 2008 07:17:59 -0800 (PST), Jason Fesler jfesler@gigo.com wrote:
I tend to think it is more a matter of using a mail host that you trust. As in most of the cases where I've used gpg/pgp, it was server-side. I mean really, if you can't trust them with your keys, why would you trust them with your mail?
It is less a matter of trusting the host, and more a matter of trusting one's government. Hosts can be compelled to not provide any notification to you what they turn over.
Again, than your mail (and it's contents) will also be at risk. No? A possible solution is to use a mail server in a region with a Government you trust. Is that even possible? Is there such a Government?
As to trusting a host with my provider, I worry less about that - that's what GPG is for (when both parties have the keys, not the server operators).
It seems also possible to store your keys in /your/ directory - assuming almost anything but pop-only mailservice. Also, if the server already has the gpg/pgp binary, than it is merely a matter of telling it where your key is to sign your mail, on an "as needed" basis. Hell, it could even be a matter of uploading it from your own computer to the server on an "as needed" basis.
The only case where I could see round cube implementing gpg fully on server side is where the user is also the operator. That still leaves keys being stored on a multiuser server, but at least he'd know if he was served an order.
That should be reasonable, given that your mail is also stored there. I mean, if you can't trust the provider to separate user space, you cannot trust them with your mail, or anything else.
Oh well, off my soap box. Implement what you want. I just hope any README or whatever includes some paranoia.
I agree, but as much should be said about /anything/ where public communication is involved. Is there really /any/ public communication that is 100% safe and secure. ;)
///////////////////////////////////////////////////// Service provided by hitOmeter.NET internet messaging! .
List info: http://lists.roundcube.net/dev/