Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

On Tue, Jun 19 2018, Daniel Kahn Gillmor  wrote:
> This is looking good to me, thanks!
>
> two more bits of nit-pickery below:
>
> On Tue 2018-06-19 08:20:12 -0700, Jameson Graef Rollins wrote:
>> +(defcustom notmuch-show-stash-session-keys nil
>> +  "Should session keys be stashed when decrypting messages for display?
>> +
>> +If this variable is non-nil session keys recovered while
>> +decrypting messages for display will be stored in the database.
>> +See description of --decrypt option in notmuch-show(1) for more
>> +information.
>
> do we want to include a warning here about the security of the index?
> setting this value to true not only stashes the session keys, but it
> also indexes the cleartext.  at the moment we're not directing people to
> the same kind of warnings ("Be aware that the index… DO NOT USE …
> without considering the security of your index.") that are present
> already in notmuch-reindex(1) and notmuch-new(1) and notmuch-insert(1).
> Perhaps notmuch-show(1) needs the same boilerplate warning, and we could
> replicate some short version of it here too?

I was wondering if it would make sense to have a separate man page for
describing all the intricacies of notmuch's crypto functionality,
i.e. notmuch-crypto(7).  There's going to be a lot of
redundancy/boilerplate in all the different man pages, and it seems like
it would be useful to put it all in one place and just reference it from
all the others.

This could also be a good place to describe how protected headers are
handled, and autocrypt once we finally get around to implementing it.

>> +NOTE: Stashing encryption session keys requires opening the
>> +notmuch database in read/write mode, which is not normally done
>
> i'd say "not otherwise done" instead of "not normally done", since we
> don't want to claim that people who use this feature aren't "normal" :)

But the claim wouldn't not be true!

I'll push another (five copies of a new) version.

jamie.


signature.asc
Description: PGP signature
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Daniel Kahn Gillmor]

This is looking good to me, thanks!

two more bits of nit-pickery below:

On Tue 2018-06-19 08:20:12 -0700, Jameson Graef Rollins wrote:
> +(defcustom notmuch-show-stash-session-keys nil
> +  "Should session keys be stashed when decrypting messages for display?
> +
> +If this variable is non-nil session keys recovered while
> +decrypting messages for display will be stored in the database.
> +See description of --decrypt option in notmuch-show(1) for more
> +information.

do we want to include a warning here about the security of the index?
setting this value to true not only stashes the session keys, but it
also indexes the cleartext.  at the moment we're not directing people to
the same kind of warnings ("Be aware that the index… DO NOT USE …
without considering the security of your index.") that are present
already in notmuch-reindex(1) and notmuch-new(1) and notmuch-insert(1).
Perhaps notmuch-show(1) needs the same boilerplate warning, and we could
replicate some short version of it here too?

> +NOTE: Stashing encryption session keys requires opening the
> +notmuch database in read/write mode, which is not normally done

i'd say "not otherwise done" instead of "not normally done", since we
don't want to claim that people who use this feature aren't "normal" :)

  --dkg


signature.asc
Description: PGP signature
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

On Tue, Jun 19 2018, Jameson Graef Rollins  wrote:
> Introduce notmuch-show-store-session-keys customization variable to
> control stashing of session keys.  If non-nil any session keys
> recovered during decryption will be stored in the database.
>
> This is just a switch to have --decrypt= use "stash" instead of
> "true".
> ---
> Gah forgot to update the commit message.  Sorry.

Sorry, this is the one to use, since I messed up the commit message on
the first.  So sorry for all the screw ups.

jamie.
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

[PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

Introduce notmuch-show-store-session-keys customization variable to
control stashing of session keys.  If non-nil any session keys
recovered during decryption will be stored in the database.

This is just a switch to have --decrypt= use "stash" instead of
"true".
---
Gah forgot to update the commit message.  Sorry.

 emacs/notmuch-crypto.el | 15 +++
 emacs/notmuch-query.el  |  4 +++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/emacs/notmuch-crypto.el b/emacs/notmuch-crypto.el
index fc2b5301..26ce19b4 100644
--- a/emacs/notmuch-crypto.el
+++ b/emacs/notmuch-crypto.el
@@ -43,6 +43,21 @@ mode."
   :package-version '(notmuch . "0.25")
   :group 'notmuch-crypto)
 
+(defcustom notmuch-show-stash-session-keys nil
+  "Should session keys be stashed when decrypting messages for display?
+
+If this variable is non-nil session keys recovered while
+decrypting messages for display will be stored in the database.
+See description of --decrypt option in notmuch-show(1) for more
+information.
+
+NOTE: Stashing encryption session keys requires opening the
+notmuch database in read/write mode, which is not normally done
+when retrieving messages for display."
+  :type 'boolean
+  :package-version '(notmuch . "0.28")
+  :group 'notmuch-crypto)
+
 (defface notmuch-crypto-part-header
   'class color)
   (background dark))
diff --git a/emacs/notmuch-query.el b/emacs/notmuch-query.el
index 563e4acf..e53c9489 100644
--- a/emacs/notmuch-query.el
+++ b/emacs/notmuch-query.el
@@ -32,7 +32,9 @@ is a possibly empty forest of replies.
 "
   (let ((args '("show" "--format=sexp" "--format-version=4")))
 (if notmuch-show-process-crypto
-   (setq args (append args '("--decrypt=true"
+(if notmuch-show-stash-session-keys
+(setq args (append args '("--decrypt=stash")))
+  (setq args (append args '("--decrypt=true")
 (setq args (append args search-terms))
 (apply #'notmuch-call-notmuch-sexp args)))
 
-- 
2.17.1

___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

[PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

Introduce notmuch-crypto-store-session-keys customization variable to
control stashing of session keys.  If non-nil any session keys
recovered during decryption will be stored in the database.

This is just a switch to have --decrypt= use "stash" instead of
"true".
---
 emacs/notmuch-crypto.el | 15 +++
 emacs/notmuch-query.el  |  4 +++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/emacs/notmuch-crypto.el b/emacs/notmuch-crypto.el
index fc2b5301..26ce19b4 100644
--- a/emacs/notmuch-crypto.el
+++ b/emacs/notmuch-crypto.el
@@ -43,6 +43,21 @@ mode."
   :package-version '(notmuch . "0.25")
   :group 'notmuch-crypto)
 
+(defcustom notmuch-show-stash-session-keys nil
+  "Should session keys be stashed when decrypting messages for display?
+
+If this variable is non-nil session keys recovered while
+decrypting messages for display will be stored in the database.
+See description of --decrypt option in notmuch-show(1) for more
+information.
+
+NOTE: Stashing encryption session keys requires opening the
+notmuch database in read/write mode, which is not normally done
+when retrieving messages for display."
+  :type 'boolean
+  :package-version '(notmuch . "0.28")
+  :group 'notmuch-crypto)
+
 (defface notmuch-crypto-part-header
   'class color)
   (background dark))
diff --git a/emacs/notmuch-query.el b/emacs/notmuch-query.el
index 563e4acf..e53c9489 100644
--- a/emacs/notmuch-query.el
+++ b/emacs/notmuch-query.el
@@ -32,7 +32,9 @@ is a possibly empty forest of replies.
 "
   (let ((args '("show" "--format=sexp" "--format-version=4")))
 (if notmuch-show-process-crypto
-   (setq args (append args '("--decrypt=true"
+(if notmuch-show-stash-session-keys
+(setq args (append args '("--decrypt=stash")))
+  (setq args (append args '("--decrypt=true")
 (setq args (append args search-terms))
 (apply #'notmuch-call-notmuch-sexp args)))
 
-- 
2.17.1

___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

On Tue, Jun 19 2018, David Bremner  wrote:
> I'm fine with whatever you and dkg decide for a name, but note that the
> customization group is independent from the name; you just choose
> whatever group you want in the defcustom.

Oh, I didn't realize that.  I thought they were linked.  In that case
I'll go with:

notmuch-show-store-session-keys


signature.asc
Description: PGP signature
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[David Bremner]

Jameson Graef Rollins  writes:

> On Mon, Jun 18 2018, Daniel Kahn Gillmor  wrote:
>> This looks like it would work, but calling it
>> notmuch-crypto-store-session-keys is a bit confusing, because based on
>> the name it looks like it would apply to many places (e.g. during
>> message sending, should a session key be stored when the outbound
>> message is fcc'ed?), but based on the implementation it only matters
>> during "show".
>>
>> Should its name be notmuch-show-store-session-keys instead?
>
> I feel like it should be under the notmuch-crypto customization group,
> not notmuch-show.  notmuch-crypto-show-store-session-keys ?
>

I'm fine with whatever you and dkg decide for a name, but note that the
customization group is independent from the name; you just choose
whatever group you want in the defcustom.

d
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

On Mon, Jun 18 2018, Daniel Kahn Gillmor  wrote:
> how about:
>
> notmuch-crypto-store-session-keys-on-show

Works for me.
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Daniel Kahn Gillmor]

On Mon 2018-06-18 15:49:45 -0700, Jameson Graef Rollins wrote:
> On Mon, Jun 18 2018, Daniel Kahn Gillmor  wrote:
>
>> Should its name be notmuch-show-store-session-keys instead?
>
> I feel like it should be under the notmuch-crypto customization group,
> not notmuch-show.  notmuch-crypto-show-store-session-keys ?

how about:

notmuch-crypto-store-session-keys-on-show

?

--dkg
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

On Mon, Jun 18 2018, Daniel Kahn Gillmor  wrote:
> This looks like it would work, but calling it
> notmuch-crypto-store-session-keys is a bit confusing, because based on
> the name it looks like it would apply to many places (e.g. during
> message sending, should a session key be stored when the outbound
> message is fcc'ed?), but based on the implementation it only matters
> during "show".
>
> Should its name be notmuch-show-store-session-keys instead?

I feel like it should be under the notmuch-crypto customization group,
not notmuch-show.  notmuch-crypto-show-store-session-keys ?

> also, i think the description of the variable setting should be clearer
> about its scope, and about the implications of setting it to non-nil
> (e.g. needing read/write access to the notmuch db to view all messages)

I will clarify the docs once we decide on variable name.

jamie.


signature.asc
Description: PGP signature
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Daniel Kahn Gillmor]

thanks for working on this, Jamie!

On Sun 2018-06-17 17:31:38 -0700, Jameson Graef Rollins wrote:
> Introduce notmuch-crypto-store-session-keys customization variable to
> control stashing of session keys.  If non-nil any session keys
> recovered during decryption will be stored in the database.
>
> This is just a switch to have --decrypt= use "stash" instead of
> "true".
> ---
> This seems like the simplest approach, to just add a new variable to
> control session key stashing.  Much simpler that reworking the meaning
> of notmuch-crypto-process-mime.

This looks like it would work, but calling it
notmuch-crypto-store-session-keys is a bit confusing, because based on
the name it looks like it would apply to many places (e.g. during
message sending, should a session key be stored when the outbound
message is fcc'ed?), but based on the implementation it only matters
during "show".

Should its name be notmuch-show-store-session-keys instead?

also, i think the description of the variable setting should be clearer
about its scope, and about the implications of setting it to non-nil
(e.g. needing read/write access to the notmuch db to view all messages)

  --dkg


signature.asc
Description: PGP signature
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

[PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins]

Introduce notmuch-crypto-store-session-keys customization variable to
control stashing of session keys.  If non-nil any session keys
recovered during decryption will be stored in the database.

This is just a switch to have --decrypt= use "stash" instead of
"true".
---
This seems like the simplest approach, to just add a new variable to
control session key stashing.  Much simpler that reworking the meaning
of notmuch-crypto-process-mime.

 emacs/notmuch-crypto.el | 10 ++
 emacs/notmuch-query.el  |  4 +++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/emacs/notmuch-crypto.el b/emacs/notmuch-crypto.el
index fc2b5301..e1943f53 100644
--- a/emacs/notmuch-crypto.el
+++ b/emacs/notmuch-crypto.el
@@ -43,6 +43,16 @@ mode."
   :package-version '(notmuch . "0.25")
   :group 'notmuch-crypto)
 
+(defcustom notmuch-crypto-store-session-keys nil
+  "Should session keys from decrypted messages be stored in database?
+
+If this variable is non-nil session keys recovered from decrypted
+messages will be stored in the database.  See notmuch-show(1) for
+more information."
+  :type 'boolean
+  :package-version '(notmuch . "0.28")
+  :group 'notmuch-crypto)
+
 (defface notmuch-crypto-part-header
   'class color)
   (background dark))
diff --git a/emacs/notmuch-query.el b/emacs/notmuch-query.el
index 563e4acf..3e6bc8b1 100644
--- a/emacs/notmuch-query.el
+++ b/emacs/notmuch-query.el
@@ -32,7 +32,9 @@ is a possibly empty forest of replies.
 "
   (let ((args '("show" "--format=sexp" "--format-version=4")))
 (if notmuch-show-process-crypto
-   (setq args (append args '("--decrypt=true"
+(if notmuch-crypto-store-session-keys
+(setq args (append args '("--decrypt=stash")))
+  (setq args (append args '("--decrypt=true")
 (setq args (append args search-terms))
 (apply #'notmuch-call-notmuch-sexp args)))
 
-- 
2.17.1

___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch