a proposed change to JSON output to report verification of PGP/MIME signatures.

Carl Worth cworth at cworth.org
Tue Nov 16 11:47:13 PST 2010


On Sat, 13 Nov 2010 02:55:50 -0500, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> i've been trying to wrap my head around how to get notmuch to support
> verifying cryptographically-signed mail.  i'm afraid my current
> understanding of the problem space is that it is neither pretty nor
> clean.  Sorry for the length of this message.

No apology necessary! I really appreciate you putting a lot of thought
into this.

[snip many details of proposal]

> MIME is actually a tree structure, and any subtree can be signed.  But
> currently, "notmuch show" hides the tree structure and produces what
> appears to be a linear set of parts.

The current linearization of parts is a bug that should be fixed. And I
think several aspects of your proposal are effectively workarounds for
this bug. So I'd rather we fix the json output to emit the tree
structure first, and then see what parts of the proposal can be
eliminated.

[And I think David Edmondson's reply said the same as above, but with
more detail. Right?]

> If you actually read this far, you are a champion!  I look forward to
> any feedback you have.

The only other piece I think I'd like to see is actually making the
content of the signature pieces available in the json output. Then, a
client could do its own verification.

Then if we had that would we not want to add the --verify support into
notmuch? (My guess is that we still would want it.)

-Carl

-- 
carl.d.worth at intel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20101116/4ec53210/attachment.pgp>


More information about the notmuch mailing list