On Mon 2019-04-22 13:26:05 -0400, Daniel Kahn Gillmor wrote: > On Mon 2019-04-22 13:18:14 -0400, Daniel Kahn Gillmor wrote: >> When we have not been able to evaluate the signature status of a given >> MIME part, showing a content-free (and interaction-free) "[ Unknown >> signature status ]" button doesn't really help the user at all, and >> takes up valuable screen real-estate. >> >> A visual reminder that a given message is *not* signed isn't helpful >> unless it is always present, in which case we'd want to see "[ Unknown >> signature status ]" buttons on all messages, even ones that don't have >> a signing structure, but i don't think we want that. > > This is a small step down the path of making notmuch-emacs friendlier > with regards to encrypted messages, but it's one that will have an > effect on future patch series that work with encrypted messages. I'd be > happy to hear any concerns people have about this change, but i find > notmuch-emacs is more pleasant to use this way.
I've heard from some people that they don't like this final patch because the "[ Unknown signature status ]" button is at least an indication that the message appears to be signed (even if we decided not to -- or were unable to -- evaluate the signature). I considered argument this when writing the patch initially, and i don't think it's a good argument for two reasons: a) without actual signature verification, the user experience is trivially scammable by an adversary who knows how to craft a MIME message, and it's basically encouraging a user pattern that is something along the lines of: https://xkcd.com/1181/ (though maybe a bit more subtle, based on MIME structure instead of the inline-signing that xkcd is mocking) This is a particularly bad security indicator and user experience. The thing isn't reliable, and it's not actionable in most cases. b) In the current state of the codebase, the presence of the button does *not* indicate that a signature-like thing is even present. If you look at test/emacs-show.expected-output/notmuch-show-decrypted-message, that shows the cleartext view of a decrypted message which *does not* have an OpenPGP signature on it at all (test/corpora/crypto/basic-encrypted.eml is encrypted but unsigned). I could imagine changing notmuch to fix concern (b) -- that is, hiding the button just in the case where no signature-looking thing is present at all. But i haven't seen anyone even identify that problem publicly yet, let alone offer a fix for it. But i think that (a) is at least as big of a concern as (b); the fix i'm proposing in this series is actually simpler than such a targeted fix would be; and the fix in this series actually solves both problems. If someone wants to offer a fix just for (b) on top of the first two patches in this series, i'd happily advocate for it as better than the status quo, which would let us put off (a) to a more interesting and targeted discussion. --dkg
Description: PGP signature
_______________________________________________ notmuch mailing list firstname.lastname@example.org https://notmuchmail.org/mailman/listinfo/notmuch