a proposed change to JSON output to report verification of PGP/MIME signatures.

David Edmondson dme at dme.org
Mon Nov 15 02:23:53 PST 2010


On Sat, 13 Nov 2010 02:55:50 -0500, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> It would end up like this (without the --verify flag):
> 
> ---------------------------
>  "body": [
>      {
>          "content": "here is a test message i signed on 2010-11-11.\n\n
>  --dkg\n\n",
>          "content-type": "text/plain",
>          "id": 1,
>          "signedby": [ 2 ]
>      },
>      {
>          "content-type": "application/pgp-signature",
>          "filename": "signature.asc",
>          "id": 2,
>          "signs": [ 1 ],
>          "sigstatus": [ {
>              "verified": "unknown"
>          } ]
>      }
>  ],
> ---------------------------

I think that this should become:

"body": [
    {
        "content-type": "multipart/signed",
        "id": 1,
        "content": [
             {
                 "content": "here is a test message i signed on 2010-11-11.\n\n --dkg\n\n",
                 "content-type": "text/plain",
                 "id": 2,
                 "signedby": [ 3 ],
             },
             {
                 "content-type": "application/pgp-signature",
                 "filename": "signature.asc",
                 "id": 3,
                 "signs": [ 2 ],
                 "sigstatus": [ {
                     "verified": "unknown"
                     } ]
              }
         ]
    }
],

i.e. the existence of the multipart/signed wrapper should be
explicit. In general, all MIME parts should be visible. Your email would
end up output something like
	http://dme.org/emacs/notmuch.multipart/thread.json
(well, that's the thread, but you can see your message as the first in
the thread).

We'd render that as shown in:
	http://dme.org/emacs/notmuch.multipart/screenshot.png
(the indentation of the parts there is optional - in this case it helps
a lot to show the structure).

The JSON output and the rendering are from a previous prototype (branch
'mp3' of https://github.com/dme/notmuch).

> and here it is with the --verify flag:

This would change in a similar manner (only the
application/pgp-signature part would change).

Changing the JSON output in this way would not materially affect your
proposal, I believe. There'd be some implicit changes in the output (for
example, if a signature signs a multipart/mixed part your proposal would
list it as signing the sub-parts of the multipart/mixed, but with my
additional changes it should be listed as signing the multipart/mixed
itself).

dme.
-- 
David Edmondson, http://dme.org


More information about the notmuch mailing list