From 5ae937b5614d794bc9f3c469f9390b4d33505186 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 3 Jun 2016 17:08:51 +2000 Subject: [PATCH] crypto and draft messages [was: Re: Emacs: postponing messages] --- fd/f405fd156066ee6b30e6c1da7e70355cc70ff7 | 110 ++++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 fd/f405fd156066ee6b30e6c1da7e70355cc70ff7 diff --git a/fd/f405fd156066ee6b30e6c1da7e70355cc70ff7 b/fd/f405fd156066ee6b30e6c1da7e70355cc70ff7 new file mode 100644 index 000000000..9a03f007d --- /dev/null +++ b/fd/f405fd156066ee6b30e6c1da7e70355cc70ff7 @@ -0,0 +1,110 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by arlo.cworth.org (Postfix) with ESMTP id A3EE46DE01D0 + for ; Thu, 2 Jun 2016 14:09:04 -0700 (PDT) +X-Virus-Scanned: Debian amavisd-new at cworth.org +X-Spam-Flag: NO +X-Spam-Score: -0.02 +X-Spam-Level: +X-Spam-Status: No, score=-0.02 tagged_above=-999 required=5 tests=[AWL=-0.020] + autolearn=disabled +Received: from arlo.cworth.org ([127.0.0.1]) + by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id jZKYse1YD9sk for ; + Thu, 2 Jun 2016 14:08:56 -0700 (PDT) +Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) + by arlo.cworth.org (Postfix) with ESMTP id 4F0726DE00DB + for ; Thu, 2 Jun 2016 14:08:56 -0700 (PDT) +Received: from fifthhorseman.net (unknown [38.109.115.130]) + by che.mayfirst.org (Postfix) with ESMTPSA id BE94BF98B; + Thu, 2 Jun 2016 17:08:55 -0400 (EDT) +Received: by fifthhorseman.net (Postfix, from userid 1000) + id 46A3220205; Thu, 2 Jun 2016 17:08:55 -0400 (EDT) +From: Daniel Kahn Gillmor +To: Mark Walters , notmuch@notmuchmail.org +Subject: crypto and draft messages [was: Re: Emacs: postponing messages] +In-Reply-To: <87mvn330zr.fsf@qmul.ac.uk> +References: <87mvn330zr.fsf@qmul.ac.uk> +User-Agent: Notmuch/0.22+16~g87b7bd4 (http://notmuchmail.org) Emacs/24.5.1 + (x86_64-pc-linux-gnu) +Date: Thu, 02 Jun 2016 17:08:51 -0400 +Message-ID: <8737ovqows.fsf@alice.fifthhorseman.net> +MIME-Version: 1.0 +Content-Type: multipart/signed; boundary="=-=-="; + micalg=pgp-sha512; protocol="application/pgp-signature" +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.20 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Thu, 02 Jun 2016 21:09:04 -0000 + +--=-=-= +Content-Type: text/plain + +On Thu 2016-06-02 14:21:44 -0400, Mark Walters wrote: +> There was some discussion on irc yesterday about a better way of +> postponing message when using the emacs frontend. I think getting a +> moderately nice interface should be quite easy (see below) but there are +> some corner cases on what *should* happen that I would like to resolve +> before trying to implement anything. + +one other corner case worth thinking about here (it can probably be +postponed until we have base cases handled, but i wanted to bring it up) +is how per-message cryptographic operations (mml-secure-*) interact with +drafts. + +In particular, i think that any sort of message signing should *not* +happen during saving of a draft, but the intent to sign should be +preserved. That is, we should save and restore the #secure tag when +saving a draft or restoring a draft, but the saved draft itself should +*not* be signed. + +for encryption, i have a different (and arguably opposite) intuition. +if the sender has the ability to *decrypt* mails, i'd argue that saving +a draft should encrypt the draft, regardless of the draft's stated +intent to encrypt. + +These cases matter because i know many people use tools like +offline-imap to sync their mail store with a remote mailserver. + +if the remote mailserver can get a copy of the signed draft, it could +replay it (effectively making use of an unintentional signature). +Likewise, if the user doesn't think about encrypting a message until +they're they're ready to send it, then an intermediate/draft version of +the message might end up in cleartext on the remote server. + + --dkg + +--=-=-= +Content-Type: application/pgp-signature; name="signature.asc" + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQJ8BAEBCgBmBQJXUKBkXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w +ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFREIyRTc0RjU2RkNGMkI2NzI5N0I3MzUy +NEVDRkY1QUZGNjgzNzBBAAoJECTs/1r/aDcKn/kP/jIAa/vPENgQ0pz3OQQ24Drs +l30qjohwbWPmWee8iPdk7ufmUM8YxU63ZBgYpXT3DhG/7xe7tZFzGqmg4y9dcaUs +XXIDuusVBUpmCokSqedI0IW7kTBV3padFHm9Mm/DHEMnKh8Rv9nzIMuxaDTvsi+i +QZWM2o2LcIkiP/zk6qAHsmCgtSQi77txPcBmGuheludDvs6aXRfkV5CB2Silf095 +CLnPCr/8NYQ7TdJpglsuqdBDxrmAUYSKhx2l+tVDe07ksVNcBI+HXghwRjl2SUsE +VOhKD7tz9XQq73cdGe97++GlU0N7p2cECEFEDjyxRUyI6bEYEZ75qT+2lf73QiPi +LEaCJ89SdVMoVBpwiVi0fHlaKY7hehVg1KOXAHoJ+pWNqJhLLj5/O99iIlk/neRR +E98CFiUu95FP9Pc8UJ2ghYVGzfV+9SphcI6MfbNf4xhQSNyyz5f5gmMHeiNn0SV2 +z04F7sh5fDfeOBSjLE4U3ApC2aiLqqC3xUHaoKTOrVdUfLEfW55HO8Ik/thQhEx6 +QbWFiLReBFlFu7SABnHUF16vXnXJej2ZyZB08wxR22BuEtNDopUgxMh6AUetj9j2 +j1CnGLpuwrKGOX+ZawYcLPPWdjApQAlrXbBaENop2OTwP/HZJODtsqFANzu+dcHc +KkNeUvxp5Wxm/6oi7k+I +=+meW +-----END PGP SIGNATURE----- +--=-=-=-- -- 2.26.2