From: micah <micah@riseup.net>
To: notmuch@notmuchmail.org
Date: Mon, 15 Feb 2010 12:55:29 -0500
Message-ID: <87zl3az8mm.fsf@lillypad.riseup.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Subject: [notmuch] Handling encrypted email
Precedence: list

--=-=-=
Content-Transfer-Encoding: quoted-printable


It took me a while before I figured out how to read OpenPGP encrypted
email with the emacs interface to notmuch. I thought it would be useful
to the list the steps that I go through to read encrypted email, both
for people who are wondering the same thing, but also hopefully to spur
a discussion about how to improve the process, as it is clearly
problematic and annoying.

At the moment, if you simply hit 'v' on a message that contains a
PGP/MIME encoded email part, the notmuch attachment viewer seems to do
the right thing and ask you about decrypting the message, but then it
puts the result in some mysterious place, or closes that window
immediately.=20

However, there is a set of steps that let you work around this. Its a
pain to do, and I'm not skilled enough in elisp to know how to pull all
of that together into something that fixes the problem.

These are the steps I can go through to read encrypted email:

1. Determine if there is a PGP/MIME part, or if the message is in-line
 encrypted.

 PGP/MIME messages typically have no interesting body, although they
 could, but they do have:

 Attachment: (null) (application/pgp-encrypted)
 Content-type: application/octet-stream
 Non-text part: application/octet-stream

 If you look closer at the mime parts, you see that the above is
 represented as follows:

  mimepart_4b47a295c184f_2474..fdbe903a82212
  Content-Type: application/pgp-encrypted
  Content-Disposition: attachment

  Version: 1

  mimepart_4b47a295c184f_2474..fdbe903a82212
  Content-Type: application/octet-stream; charset=3D3DUTF-8
  Content-Disposition: inline; filename=3D3Dmessage.asc

  in-line PGP messages have the encrypted chunk in the body of the message
  itself, which can be seen when you view the message. It always starts
  with this header:

  ----BEGIN PGP MESSAGE-----
  Version: GnuPG v1.4.6 (GNU/Linux)

  and ends with this one:

  ----END PGP MESSAGE-----

  (Obviously the Version line is going to be different, depending on the
  implementation, but I believe it is always there with an ascii armored
  OpenPGP blob)

  2. If it is a PGP/MIME message, then you have to hit 'V' to view the
  raw message, otherwise if it is in-line PGP you would skip this step
  and go to 3.

  3. using emacs selection, select the region that is bounded by the
  header and footer of the PGP ASCII armored blob, as described above.

  4. M-x epa-decrypt-region (i think this only will work in emacs23)

  5. You are asked, "Replace the original text? (y/n)", I think it is
  not worth doing so, but see what you think.

  6. Now the window is split in three: the original raw message from
  notmuch; the result of the pgp verification of the data ("Good
  signature from...") appears in a small window (this is good
  information!); and then the decrypted text.

  7. after reading the message, you have to kill a bunch of buffers, and
  if you want to reply to the message, you have to do some annoying
  return to the original message, after copying the text you wish to
  quote....=20

  So what is the desired behavior? I think that the emacs mode should
  detect pgp messages, in-line or PGP/MIME and when they are viewed
  (notmuch show) they should be decrypted and verified. The decrypted
  text should just replace the encrypted text, and the signature
  verification should also be represented in a useful way (it is very
  important to know if a signed/encrypted message has a bad signature,
  or doesn't verify!), and it should clean-up nicely so you don't have
  to kill a bunch of windows.

  mutt deals with inline pgp by just looking in each message, as it is
  displayed (with a display hook) for the following in the body:

  "^-----BEGIN\ PGP\ (SIGNED\ )?MESSAGE"'

  for pgp/MIME, mutt enables you to set various pgp customizable commands
  to make things work, however these pieces may be taken care of with
  epa-mode.

Hopefully someone can take this and run with it, improving the emacs UI
so that it is able to handle this automatically!

micah

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJLeYqRAAoJEIy/mjIoYaeQEWAP/ih3yWyEUmMtGeoU4IEBKAZ1
TdyDNlAzBy94HZMXylIASI7xz0LQ1CHVl38jyP4iDgYcO8yFfrL/MWOSwr3hYIzK
mVl3cVm7TFwXcDM6gHPesHxgZh2VTlB6NV11Y/ir67Ono+OslSPE45R+0swYabRs
cz2tThVxgzS21CVH8Opy1Q2bGVKCYvEZ8bl3EwA1JQhP7UfZC+qOkSWCRTQ/xPq0
5EtQsZSARi9XMeWK/xnRNFqMYVwMTDCXsupuxuX7JY4KBbBDFEONaOykvG1VuIDv
Hk90ZPHwvBHUO6lCZvKB4UU4gjiZRm5Aq0ma5uoMFAotgMp7eRsrTp/ZVOWLOxIO
OGctby9xYj+lyG0TlazBV1TzZ9iR21w2LxB3FEW1EJznVVkj6iabw1MDKgBeJNE1
t4NjYuujdoN+nQe3+LFYeJGgPqbW4GJKM4viO7ULzLID68Ep9H7TerW3c2fjoI3E
bpLQv/1qWyvz55H/XUcgmPy1i91xBBEa8R2DYyLJubsSEW5Sk/5GHi6yZWlNEbeN
YMF2b/ve9LKa6rZ9F6KH/4ylJaqUHGdEg2eEO+7KXKCsIpny40mryAgtyVXQlFZT
B4hpnnFLEKY/kbu7gWT4jfVMM+jH5cEvCwfsumJpeT1JwGD5FxzU9FOqlMzpxM0F
oIVC80BPvN5o/NruUptj
=bkgG
-----END PGP SIGNATURE-----
--=-=-=--