revision 3: easing access to the cryptographic envelope
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat May 25 11:04:02 PDT 2019
This is the third revision of the series originally posted at
id:20190424183113.29242-1-dkg at fifthhorseman.net (revision 2 was at
id:20190520032228.27420-1-dkg at fifthhorseman.net)
This series addresses comments raised by David Bremner in his review.
The most significant change here is that notmuch-show in --format=json
or --format=sexp now always emits a "crypto" member for every message,
regardless of whether there is any cryptographic envelope. In the
case where there is no cryptographic envelope, the "crypto" member
will be empty.
E-mail structures are potentially arbitrarily complicated.
Cryptographic protection standards like S/MIME and OpenPGP or PGP/MIME
are often applicable to some elements of some messages.
Last year's "E-Fail" attacks made it clear that trying to provide
normal users with cryptographic protections on piecemeal parts of an
e-mail message is a recipe for disaster, both from an implementation
perspective and a user experience perspective.
I've argued in more detail at  about the need to treat
cryptographic protections at the message level, rather than at the
This series makes "notmuch show" track and emit message-wide
cryptographic state, providing an interface that simple clients that
use "notmuch show" can rely on for their UI and UX.
It doesn't yet apply this layer to the emacs interface, because at the
moment many users of the emacs interface are nerds who are as likely
to understand the intricacies of MIME structure as anyone, and for the
moment, just augmenting the notmuch show schemata in a sensible way is
enough of a chunk to bite off.
(though i'd be happy to review and support the use of this
per-message cryptographic state in notmuch-emacs if/when this lands!)
I'd appreciate any review and feedback!
More information about the notmuch