On Mon, May 18, 2015 at 10:45:50PM +0300, IETF Chair wrote:
The Mailman passwords are emailed in plain text, which is
generally considered a poor practice from a security standpoint.
These are low-value secrets. It doesn't matter if they go over e-mail
in cleartext.
What really matters though is that users be able to access the features
that these passwords have enabled thus far:
- unsubscribing
- changing one's subscribed address
(this is incredibly useful, since mailman allows mass-changing the
subscribed address, so if one is subscribed to 50 IETF lists and one
needs to change the subscribed address, a single change will suffice
for all, instead of having to do 50 manual changes)
- accessing moderation and other manager features (for list
owners/moderators)
These operations can't be made much harder than they are now. I, and I
suspect most everyone else, WILL NOT keep a password database for these
passwords, and we won't memorize them either.
I'm not opposed to not e-mailing these passwords periodically, or even
not e-mailing them at all, as long as there's a way to access the above
features without having to memorize these silly passwords. Forcing
users to go through a password reset every time will do, but note that
that's pretty much the same thing as... sending passwords in cleartext
in e-mail!
The one security-relevant difference between e-mail list password reset
and e-mail list password reminders is that password reset tokens
generally expire. Both are utterly low-value, neither requires
cryptographic protection.
If all you're doing is no longer mailing these _periodically_, then
that's OK, and if it helps operationally, so much the better. But
please don't bill this as a great security improvement -- it's not.
Nico
--