On 04/07/2014 05:06 PM, Mark Walters wrote: > I think it is worse that that: I think (from what people said on irc > some time ago) that the index contains the word and the position of that > word so essentially the whole message can be reconstructed from the > index.
Agree with Mark here, the warnings around such a feature should clearly
say "this stores a cleartext equivalent of your message in the notmuch
index."
Even if the index weren't structured in this way, modern natural
language processing techniques and a plausible training corpus should be
able to come very close to the original cleartext message, so it should
be treated as such.
fwiw, the workflow i outlined should make it so that users can receive
all messages encrypted; when they read each encrypted message, they get
a choice about whether to store a cleartext-equivalent in their notmuch
index. (note of course that it's possible to store your notmuch index on
an encrypted filesystem itself, for a different flavor of
confidentiality protection for the data once it's come to rest).
This per-message decision mechanism lets a thoughtful user make that
tradeoff on a piecemeal basis (it also allows for blanket
(mis)judgement, of course). There are certainly some messages that one
might never want store in a cleartext index, while other messages might
be less sensitive to exposure while being more valuable to the user if
stored in a well-indexed, searchable local archive.
I think this is a feature worth having, despite the warning labels it
probably needs.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ notmuch mailing list notmuch@notmuchmail.org http://notmuchmail.org/mailman/listinfo/notmuch
