[asterisk-users] Security communication dilemma: your help needed

[John Todd]

Dilemma: Digium will sometimes receive requests to send GPG-encrypted  
mail dealing with security issues.  This works somewhat poorly for  
email role accounts where there are multiple recipients on a single  
address.  If there exists a better way to do this that doesn't involve  
a lot of customization, let me know and we'll see if it will do the  
right thing, otherwise we'll continue with the functional but somewhat  
awkward current method.

Current procedure: An individual will reply back, and create a 1:1  
signed exchange with the original correspondent.  Then, the Digium  
staffer will relay the data (with relevant GPG keys) to each other  
Digium staff member who may be involved.

Desired procedure:  A public key signature method would be publicly  
available via an SSL web page or various keyservers.  Individuals  
could sign messages with the public key.  Signed messages sent to  
"security@" would then be decrypted, and re-encrypted with the  
security@ key and sent to the small list of end recipients.  Any  
recipients who replied back to the message would have the process  
happen in reverse, and also have copies if the reply sent (encrypted)  
to the other members of this email "exploder" as well as the external  
author.

Summary: Has anyone implemented a "B2BUA" for GPG-signed email?

JT

---
John Todd                       email:jtodd at digium.com
Digium, Inc. | Asterisk Open Source Community Director
445 Jan Davis Drive NW -  Huntsville AL 35806  -   USA
direct: +1-256-428-6083         http://www.digium.com/