Return-Path: X-Original-To: notmuch@notmuchmail.org Delivered-To: notmuch@notmuchmail.org Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 52015431E84 for ; Tue, 20 Aug 2013 10:03:37 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5LycRLwAveK for ; Tue, 20 Aug 2013 10:03:32 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by olra.theworths.org (Postfix) with ESMTP id 72388431E62 for ; Tue, 20 Aug 2013 10:03:32 -0700 (PDT) Received: from [192.168.13.198] (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 7B8F4F984 for ; Tue, 20 Aug 2013 13:03:28 -0400 (EDT) Message-ID: <5213A15F.30109@fifthhorseman.net> Date: Tue, 20 Aug 2013 13:03:27 -0400 From: Daniel Kahn Gillmor User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130630 Icedove/17.0.7 MIME-Version: 1.0 To: notmuch@notmuchmail.org Subject: Re: Inline-encryption, encryption failure when storing sent mails References: <878v02ysfg.fsf@maritornes.cs.unb.ca> In-Reply-To: <878v02ysfg.fsf@maritornes.cs.unb.ca> X-Enigmail-Version: 1.5.1 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="----enig2HECLHCUIJSUIIGXLDODV" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2013 17:03:37 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2HECLHCUIJSUIIGXLDODV Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 08/16/2013 04:02 AM, David Bremner wrote: > Simon Hirscher writes: >=20 >> 1. Support for inline-encryption As far as I can see, so far only >> encrypted mails with PGP/MIME are supported. Couldn't notmuch also >> support text/plain messages that contain PGP-encrypted messages by >> scanning for "^-----BEGIN\ PGP\ (SIGNED\ )?MESSAGE"? =E2=80=93 as sugg= ested in >> a previous message to this mailing list >> (id:87zl3az8mm.fsf@lillypad.riseup.net; web view: >=20 > If someone feels inspired to work on this, maybe=20 >=20 > notmuch-wash-convert-inline-patch-to-part >=20 > (in notmuch-watch.el) might be a reasonable place to start. if anyone does feel inclined to work on this, please consider that dealing cleanly an inline-signed message has a number of serious problems, not least of which is the Content-Type. I've been meaning to write this up more cleanly, but a summary here will have to do for now: The MIME Content-Type header for an inline-PGP-signed e-mail message is not signed. This means that an attacker can replay a signed message while undetectably changing the Content-Type. One example of such an attack is to leave the base Content-Type as text/plain but to switch charsets -- the same bytestream can then be interpreted differently. For example, depending on the charset, the same bytestream can be represented as: The rental is =E2=82=AC13/week for unit 7. [charset=3Dbig5] or: The rental is =C2=A3=D7=9113/week for unit 7. [charset=3Diso-8859-8] since 1GBP =3D 1.17EUR, this represents a change of 17% in the value of the signed message while retaining the signature's validity :P Given that you don't have cryptographically-reliable Content-Type information, will you be comfortable indicating that the message is actually signed? Also, inline-signed messages may not span the entire part. That is, a message could have a bit of unsigned text above or below the inline-signature. The current user-facing UI in notmuch-emacs indicates whether each part is individually signed or not. How would notmuch-emacs indicate reliably to the user that only a portion of the part is signed? In short: inline PGP is a mess, and existing implementations which try to cope with it have severe shortcomings. I'd rather avoid introducing new types of failure to notmuch. --dkg ------enig2HECLHCUIJSUIIGXLDODV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQJ8BAEBCgBmBQJSE6FfXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpc6O4P/1mDlyMjavqICRYT78ssI0dC NU6Oc70NE2b6xkjpsM5xwitYy4Cr0x4z/invb02Du/gJ4soZmGEyeouj9yrjuqOc PEQiXEFesUvoWxvFkS+WUAv56J3ZUVx487Ae6UUMI6b8Yy49gYTZKJ4E0R8dhHXg BFFy7H4X04GHwTgWEQ+P3Qbkf2cXd1BODfT/TvKK4ewlnl8AsQOVc8S0oeuO7Ql9 7bIDK6MX/g7Spv+h6DyZhpgcVJUw81CQcN6Pzvrja4VgbKMQ6dHZbvYgA+k3EZHc ghMskJh9KIodkdx8L4DbqC3n/WpKfGVAmXJe8t4uq4n9LL4VfZxOya8aGdGhSiUJ ZeHkmw3GP8AnomMUHAXqfrdMR/LKi7rHxE/OM+AoT9rim7fpCmSqbmBuFeyGIIzD iTiodsJ8Z3vQ9iK50dNJcUJnWTRQnePHBCRv888al491G2hzDRq+rFy4ybQupA0G 7QNeVTBNdCvWkbj9imNS+8VSUd7wKU5AkQr51iJw9vXjF3fcg1wTCMGaITv6w9hV yVtPD8wQ88Mvx/tmbMpe0a/weQWN/HDl9w/0KzPlshetmzwe+HAiWxNgjmi7ICFh 4FsFBgKqZnYIsz+FyLGJeCYn4pzCXBMrJZgjqB7WJ8dHVfUwEQBlmtPS28VR0xER ioh50g9CtLuQUI44ujnV =HHmd -----END PGP SIGNATURE----- ------enig2HECLHCUIJSUIIGXLDODV--