
		ML Encription

------------------------------------------------------------
1	Overview
1.1	What fml can do
1.2	overview

2	PGP2
2.1	Register PGP2 Public Keys
2.2	PGP2 Commands To Maintain ML'S PGP Keys 

3	PGP5
3.1	makefml
3.2	PGP bug (from BUGTRAQ@SECURITYFOCUS.COM)

4	PGP (Pretty Good Privacy) for authenticatoin of admin commands
4.1	PGP (Pretty Good Privacy)
4.2	PGP Authenticated Remote Administration
4.3	Register PGP Public Keys
4.4	Remote Administration Based On PGP

5	PGP5
5.1	test
------------------------------------------------------------


1	Overview

1.1	What fml can do

1.2	overview

* You can use pgp2 and pgp5.

* You can use the authentication of admin commands.

* you can use ML article encryption

	$USE_ENCRYPTED_DISTRIBUTION

* Please use makefml if you use PGP.

2	PGP2

fml 4.0 clean up the pgp keys directory hierarchy.
See makefml 4 section for more details.

2.1	Register PGP2 Public Keys

	makefml pgp <ML> PGP's options

For examle

	makefml pgp elena -ka public.asc

In fml 4.0

	makefml aa.pgp
	makefml de.pgp

2.2	PGP2 Commands To Maintain ML'S PGP Keys 

Available options via FML are

	-ka
	-kr
	-krs
	-h
	-kx
	-kxa
	-kv
	-kvv
	-kvc
	-kc	

Please read PGP books if you cannot understand them.

Example:

	admin pgp -kvv

3	PGP5

	makefml pgpk <ML> PGP's options

3.1	makefml

	pgpk, pgps, pgpv, pgpe

	makefml admin-auth.pgpk
	makefml admin-auth.pgps
	makefml admin-auth.pgpe
	makefml admin-auth.pgpv

	makefml aa.pgpk

	makefml de.pgpk

3.2	PGP bug (from BUGTRAQ@SECURITYFOCUS.COM)

Message-ID:  <Pine.NEB.4.10.10008241020110.29902-100000@setec.org>

PGP-2.6.3ia UNIX    not vulnerable - doesn't support V4 signatures
PGP-5.0i UNIX       not vulnerable
GnuPG-1.0.1 UNIX    not vulnerable

PGP-5.5.3i WINDOWS  VULNERABLE
PGP-6.5.1i WINDOWS  VULNERABLE
PGP-6.5.1i for UNIX VULNERABLE

	http://senderek.de/security/key-experiments.html

	http://www.pgp.com/other/advisories/adk.asp
	http://web.mIt.edu/network/pgp.html

    Message-ID:  <20000826121158.13915.qmail@securityfocus.com>
    
    PGP updated softwares (http://web.mIt.edu/network/pgp.html):
    ---------------------
    PGP Freeware v6.5.8 is now available for Windows 
    95/98/NT/2000! and the Macintosh
    PGP Freeware v6.5.8 is MacOS 7.6.1+
    PGP Command Line Freeware v6.5.2 is now available for 
    AIX/HP-UX/Linux/Solaris!
    PGP Certificate Server Freeware v2.5.1 is now available for 
    Windows NT/2000 and Solaris!

4	PGP (Pretty Good Privacy) for authenticatoin of admin commands

4.1	PGP (Pretty Good Privacy)

Caution:
I assume you know PGP well. I checked a combination of FML and PGP
2.6.3ui but not PGP 5. Also I do not consider PGP/MIME, OpenBGP,
etc....

4.2	PGP Authenticated Remote Administration

Apparent answers based on PGP are as follows:

1	authentication using clear signed PGP

Administrators are people whose public keys the server knows.

The merit of this method is that the server does not require the
server key generation.

2	Prepare the PGP secret key of the server.
	You encrypt the mail by server public key

Administrators are people whose knows the server public keys.  This
method requires the assumption "a ML machine is not broken" since the
machine has the PGP private/secret and public key on the local
disk. This assumption is very bad.

FML uses the former method as an authentication method.

[KNOWN BUGS] encrypted distribution and remote administration with PGP
authentication shares pgp key directory. So you cannot use both
simultaneously. I will fix this after fml 3.0.

4.3	Register PGP Public Keys

Each ML has each PGPPATH (environment variable). You should always use
"makefml" in the following way:

	makefml pgp <ML> pgp's options

Let a public key be

	public.asc

It is the key of a remote administrator. Add the public key, 

	makefml pgp elena -ka public.asc

	makefml pgp <ML> PGP's options

PGP's options are the same as options of original program "pgp". 

Example: show the public key list of elena ML.

	makefml pgp elena -kv

4.4	Remote Administration Based On PGP

1	write "admin commands"
2	sign PGP clear sign to it
	e.g. C-c /s if you use mailcrypt.el

3	send the mail to the server

4 	ML server checks public keys in ML's pgp pubrings (under
	$DIR/etc/pgp/). If the mail is from the author (authenticated),  
	the server runs commands.

5	PGP5

5.1	test

    % pgpe -r PGP-ML -f -ats test.txt | mail -s "TEST" PGP-ML


		INDEX

