From: Guyzmo Date: Sun, 6 Apr 2014 09:15:16 +0000 (+0200) Subject: Re: Feature suggestion. Indexing encrypted mail? X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=ca152c67a3017723ffe91e88831c0f7e84d722c9;p=notmuch-archives.git Re: Feature suggestion. Indexing encrypted mail? --- diff --git a/dc/ab1c5b965394db4d1747aac2e458a4cefec39a b/dc/ab1c5b965394db4d1747aac2e458a4cefec39a new file mode 100644 index 000000000..5e2231348 --- /dev/null +++ b/dc/ab1c5b965394db4d1747aac2e458a4cefec39a @@ -0,0 +1,94 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by olra.theworths.org (Postfix) with ESMTP id 1E698431FBF + for ; Sun, 6 Apr 2014 02:17:12 -0700 (PDT) +X-Virus-Scanned: Debian amavisd-new at olra.theworths.org +X-Spam-Flag: NO +X-Spam-Score: 1.775 +X-Spam-Level: * +X-Spam-Status: No, score=1.775 tagged_above=-999 required=5 + tests=[URIBL_BLACK=1.775] autolearn=disabled +Received: from olra.theworths.org ([127.0.0.1]) + by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id qZdOscLZx9DN for ; + Sun, 6 Apr 2014 02:17:04 -0700 (PDT) +Received: from mail.m0g.net (vilya.m0g.net [88.191.157.47]) + by olra.theworths.org (Postfix) with ESMTP id 7CA37431FB6 + for ; Sun, 6 Apr 2014 02:17:04 -0700 (PDT) +Received: from localhost (localhost [127.0.0.1]) + by mail.m0g.net (Postfix) with ESMTP id 88E8F3E08E7; + Sun, 6 Apr 2014 11:15:25 +0200 (CEST) +X-Virus-Scanned: Debian amavisd-new at vilya.m0g.net +Received: from mail.m0g.net ([127.0.0.1]) + by localhost (sd-38500.dedibox.fr [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id U3SX+p5M-QyM; Sun, 6 Apr 2014 11:15:21 +0200 (CEST) +Received: by mail.m0g.net (Postfix, from userid 1000) + id E41E93E24D6; Sun, 6 Apr 2014 11:15:20 +0200 (CEST) +Date: Sun, 6 Apr 2014 11:15:16 +0200 +From: Guyzmo +To: Jameson Graef Rollins +Subject: Re: Feature suggestion. Indexing encrypted mail? +Message-ID: <20140406091516.GG26903@vilya.m0g.net> +References: <86k3b3ybo6.fsf@someserver.somewhere> + <878urj1z3j.fsf@maritornes.cs.unb.ca> + <87txa7pp8z.fsf@servo.finestructure.net> +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf-8 +Content-Disposition: inline +Content-Transfer-Encoding: 8bit +In-Reply-To: <87txa7pp8z.fsf@servo.finestructure.net> +User-Agent: Mutt/1.5.22.1-rc1 (2013-10-16) +Cc: notmuch@notmuchmail.org, Daniel Kahn Gillmor +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.13 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Sun, 06 Apr 2014 09:17:12 -0000 + +Hi! + +On Sat, Apr 05, 2014 at 12:09:32PM -0700, Jameson Graef Rollins wrote: +> On Sat, Apr 05 2014, David Bremner wrote: +> > john.wyzer@gmx.de writes: +> >> Would it be possible to add the configurable option to also decrypt +> >> encrypted messages on the fly while indexing to make them searchable, +> >> too? +> > As far I understand an attacker could reconstruct the message from the +> > index, so one question is whether the extra complexity in notmuch is +> > worth the minimal extra security over decrypting on delivery and storing +> > plaintext on the (presumably encrypted) disk. Of course decrypting on +> > delivery may be inconvenient (or impossible). I have CCed the two people +> > who have implemented most of the crypto related stuff in notmuch so they +> > can comment. +> Indexing encrypted email is a bit of a foot-gun, since, as David +> mentions, it is apparently possible to reconstruct encrypted messages +> From the index. It therefore needs to be approached with care. +> +> I think decrypting on "delivery" (or mail fetch or whatever) sounds +> difficult and unwieldy. In either event, it seems out of the scope of +> notmuch. If a user figured out how to have that done, no changes to +> notmuch would be needed afaict. +[…] + + I indeed agree with this view, and I think the best process would be +to have the MUA decrypt and index an encrypted mail when the user wants +it to be indexed. So the user do not get really highly secret messages +disclosable by the index, and for the others take that kind of risk. + + That way you wouldn't need to keep the secret in the gpg-agent for +too long, and/or need a password for an automated process. + +my two cents, + +-- +Guyzmo