Changes between Version 9 and Version 10 of AnnouncerPlugin/MessageEncryption

Mar 12, 2010, 8:49:32 PM (8 years ago)
Steffen Hoffmann

added some intro to OpenPGP and proposed AnnouncerEmailEncryption setup procedure


  • AnnouncerPlugin/MessageEncryption

    v9 v10  
    2727=== What ===
    28 What to do. It greatly depends on decision about how much is read from configuration or qualified deduction/guessing. Less configuration is good for the Admin in charge.
     28Here is a description of what shall be done. Experts and GPG/PGP users may wish to skip that section and go to the [#AnnouncerEmailEncryption proposal for trac-specific use] right away.
    30 Overview of expected behavior/features:
    31  * set gpg environment, preferable a dedicated place
    32  * read recipient list, optionally group recipients into require_encryption_group and allow_verbatim_msg_group
    33  * associate each recipient in require_encryption_group with key
    34  * handle behavior on missing key
    35  * embed DEBUG logging into all operations mentioned above
     30==== OpenPGP principles ====
     31FIXME: I'll write here and cite sources for more detailed explanation of OpenPGP standard and cryptography in communication in general.
    37 ''Is it right that different users will have different keys?  If so we can add configuration to the user's preference page.  We could have a big textbox for GPG key and if they have one entered, then use encryption.
     33==== !AnnouncerEmailEncryption ====
     34Now let's look at how OpenPGP could help with Trac and especially with announcements.
     36Imagine, you're using trac in a corporate environment, typically allowing external access to trac, repositories etc. only after authorization or not at all.
     37However you may wish to keep business partners, support customers or even co-workers outside the tightly controlled corporate network informed about certain or all developments. Encrypting mail for external recipients will help to deal with issues as discrete as you like while still using announcements for changes in trac.
     39To get !AnnouncerEmailEncryption up and working you'll have to do take the following steps:
     40 1. install GnuPG on the same host along with Trac[[BR]]
     41  For Debian GNU/Linux a simple {{{apt-get install gnupg}}} will do.
     42 2. install python-gnupg
     43  Currently there is no Debian package available. Install from source of [ project site] is preferred.
     44 3. configure !AnnouncerEmailEncryption in the ![announcer] section of trac.ini for the given trac environment
     45  * gnupg_dir = <path_to_dir>, will default to something like {{{<tracenv>/gnupg}}}[[BR]]
     46   If not existent, this directory would be created and populated with necessary (initially empty) files on next trac start with !AnnouncerEmailEncryption enabled.
     47  * msg_encryption = False|True, default to "False"
     48   Pretty self-explaining. External would opt for splitting recipients according to following rules into group require_encryption_group and allow_verbatim_msg_group and sending an local, verbatim as well as an encrypted version in parallel, if both recipient lists are not empty.
     49  * external recipient_rule = (list of e-mail addresses or regex describing range of e-mail addresses)
     50 4. import pubkeys and associate with users
     51  * admin:
     52   * (mass-)upload from local pubkey(ring) files
     53   * upload from local or public keyserver
     54   * associate pubkey from previous upload with users
     55    User administration should allow for key import and association to users on behalf of every registered user.
     56  * user:
     57   * upload like admin, but associate only to himself/herself
     58   * select pubkey from previous upload (self or admin)
     59    Users may wish to add an OpenPGP key to their configuration.
     60    For simplicity I'd make existence of a pubkey equivalent to an "always encrypt msg for me with this key" option.
     61    For convenience it might still be possible to temporarily disable a key and re-enable it later without deletion and re-import as this is directly supported by GnuPG.
     62 5. add an automatic signing key for the given trac environment (optional)
     63  * upload from local pubkey(ring) file or create it on-demand
     64  * use secret key, if only one is available, else provide a drop-down or similar for selection
     65   For convenience it should be possible to temporarily disable a key and re-enable it later without deleting it.
     67Beware, that this is by now no code but pure concept and subject to change a lot, before public release of the code. As with current code for AnnouncerPlugin there'll be DEBUG logging embed into all operations mentioned above.
     69==== Q&A ====
     70 ?: ''Is it right that different users will have different keys?  If so we can add configuration to the user's preference page.  We could have a big textbox for GPG key and if they have one entered, then use encryption.
     71  A: Yes, different users will (typically) have different keys. It might be desirable even to support multiple keys per user. Only in rare cases one key would be associated with different users/e-mail addresses, even if this might be technically perfectly valid and useful. But it indicates violation of the de-facto standard one-owner-per-key that abhor kind of group keys.
    3973=== How ===
    83117 3. step: extend web_ui of AnnouncerPlugin to remote-control new options from user and/or administration settings
     119==== Q&A ====
    85120[FIXME: add more Q+A here to help with code design evaluation and code review] 
    86121 ?: Why not implement encryption as another IAnnouncementEmailDecorator
    90125  A: Encryption is not about encoding etc.
    91126  ''Formatter is more about turning an event into a message, it shouldn't be done here.'' - '''doki_pen'''
     127 ?: What are the explicitly handled exceptions?
     128  A: For readability let's try to put this into a table.
     129  ||exception ||cause ||action/behavior ||
     130  ||missing pubkey ||fingerprint in user settings but no corresponding key in pubkeyring file ||delete recipient from recipient list of event in delivery, create new event with info "specified pubkey not in Tracs keyring" to be sent to this user and project admin ||
    93132=== Sources (ideas and code) ===