* bug#13551: 24.3.50; epa-mail-encrypt chooses wrong key
@ 2013-01-25 21:32 ` Richard Stallman
2019-09-23 16:40 ` Lars Ingebrigtsen
[not found] ` <handler.13551.C.156925686512740.notifdonectrl.0@debbugs.gnu.org>
0 siblings, 2 replies; 7+ messages in thread
From: Richard Stallman @ 2013-01-25 21:32 UTC (permalink / raw)
To: 13551
I have a public key for martin@gnu.org and a key for another martin at
another host. When I encrypt a message to `martin' -- which means, in
my case, `martin@gnu.org' -- epa-mail-encrypt picks the other martin.
epa needs to know the default mail hostname so as to pick the correct
Martin. It can get that from the value of user-mail-address, and
maybe have other ways to specify it.
In GNU Emacs 24.3.50.1 (mips64el-unknown-linux-gnu, GTK+ Version 2.12.12)
of 2013-01-03 on chiefs-gnewsense
Bzr revision: 111408 rgm@gnu.org-20130103023757-9p8awd7j9mkf0ike
System Description: Debian GNU/Linux 6.0.6 (squeeze)
Configured using:
`configure CFLAGS=-O0 -g --with-gif=no --with-tiff=no --no-create
--no-recursion'
Important settings:
value of $LANG: en_US.UTF-8
locale-coding-system: utf-8-unix
default enable-multibyte-characters: t
Major mode: Mail
Minor modes in effect:
gpm-mouse-mode: t
tooltip-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
abbrev-mode: t
Recent input:
C-x b o u t g TAB RET g e ESC x e p a d RET y C-n C-n
C-n C-p C-e @ g n u . o r g ESC x e p a SPC m a i l
SPC e n c TAB RET y y y C-x C-s C-c C-s y C-x b o u
t g TAB RET g C-p e C-x b o u t - 2 9 RET C-_ ESC DEL
ESC DEL DEL ESC x e p a SPC m a i l SPC e n TAB RET
y y C-x 4 b RET C-x o C-x k RET y e s RET ESC x r e
p o r t SPC e m a c s SPC b u g RET
Recent messages:
Saving file /home/rms/outgoing/out-29...
Wrote /home/rms/outgoing/out-29
Send buffer contents as mail message? (y or n) y
Sending...
Wrote /home/rms/outgoing/out-30
Sending...done
Undo!
No public key for rms-response-1w@gnu.org; skip it? (y or n) y
No public key for rms-outgoing@gnu.org; skip it? (y or n) y
Encrypting...done
Load-path shadows:
None found.
Features:
(shadow emacsbug mailalias epa-mail epa derived epg epg-config rmailmm
message sendmail format-spec rfc822 mml easymenu mml-sec mm-decode
mm-bodies mm-encode mailabbrev gmm-utils mailheader mail-parse rfc2231
dired t-mouse time-date rmailedit rmail rfc2047 rfc2045 ietf-drums
mm-util mail-prsvr mail-utils paren cus-start cus-load nadvice advice
help-fns tooltip ediff-hook vc-hooks lisp-float-type mwheel x-win
x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list
newcomment lisp-mode register page menu-bar rfn-eshadow timer select
scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame
cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet
lao korean japanese hebrew greek romanian slovak czech european
ethiopic indian cyrillic chinese case-table epa-hook jka-cmpr-hook
help simple abbrev minibuffer loaddefs button faces cus-face macroexp
files text-properties overlay sha1 md5 base64 format env code-pages
mule custom widget hashtable-print-readable backquote
make-network-process dbusbind dynamic-setting system-font-setting
font-render-setting move-toolbar gtk x-toolkit x multi-tty emacs)
--
Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
USA
www.fsf.org www.gnu.org
Skype: No way! That's nonfree (freedom-denying) software.
Use Ekiga or an ordinary phone call
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#13551: 24.3.50; epa-mail-encrypt chooses wrong key
2013-01-25 21:32 ` bug#13551: 24.3.50; epa-mail-encrypt chooses wrong key Richard Stallman
@ 2019-09-23 16:40 ` Lars Ingebrigtsen
[not found] ` <handler.13551.C.156925686512740.notifdonectrl.0@debbugs.gnu.org>
1 sibling, 0 replies; 7+ messages in thread
From: Lars Ingebrigtsen @ 2019-09-23 16:40 UTC (permalink / raw)
To: Richard Stallman; +Cc: 13551
Richard Stallman <rms@gnu.org> writes:
> I have a public key for martin@gnu.org and a key for another martin at
> another host. When I encrypt a message to `martin' -- which means, in
> my case, `martin@gnu.org' -- epa-mail-encrypt picks the other martin.
>
> epa needs to know the default mail hostname so as to pick the correct
> Martin. It can get that from the value of user-mail-address, and
> maybe have other ways to specify it.
I don't think any security-related software should be guessing based on
incomplete email addresses. As far as I can tell, it requires a
complete match, which I guess means you have a key for "martin" (without
a domain name) in your key ring.
Choosing this is the right thing to do, I think, so I'm closing this bug
report.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#13551: acknowledged by developer (control message for bug #13551)
[not found] ` <handler.13551.C.156925686512740.notifdonectrl.0@debbugs.gnu.org>
@ 2019-09-27 11:05 ` Richard Stallman
2019-09-27 16:12 ` Lars Ingebrigtsen
0 siblings, 1 reply; 7+ messages in thread
From: Richard Stallman @ 2019-09-27 11:05 UTC (permalink / raw)
To: 13551
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> I don't think any security-related software should be guessing based on
> incomplete email addresses. As far as I can tell, it requires a
> complete match, which I guess means you have a key for "martin" (without
> a domain name) in your key ring.
That is totally unpredictable _for the user sending a reply_.
There are various possible ok things to do, but not that.
Please make this case do something predictable.
--
Dr Richard Stallman
Founder, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#13551: acknowledged by developer (control message for bug #13551)
2019-09-27 11:05 ` bug#13551: acknowledged by developer (control message for bug #13551) Richard Stallman
@ 2019-09-27 16:12 ` Lars Ingebrigtsen
2019-09-28 1:32 ` Richard Stallman
0 siblings, 1 reply; 7+ messages in thread
From: Lars Ingebrigtsen @ 2019-09-27 16:12 UTC (permalink / raw)
To: Richard Stallman; +Cc: 13551
Richard Stallman <rms@gnu.org> writes:
> [[[ To any NSA and FBI agents reading my email: please consider ]]]
> [[[ whether defending the US Constitution against all enemies, ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
> > I don't think any security-related software should be guessing based on
> > incomplete email addresses. As far as I can tell, it requires a
> > complete match, which I guess means you have a key for "martin" (without
> > a domain name) in your key ring.
>
> That is totally unpredictable _for the user sending a reply_.
> There are various possible ok things to do, but not that.
>
> Please make this case do something predictable.
I'm not sure I understand. I think it does do something completely
predictable -- choose the key ring entry that matches what's in your
"From" header. No guessing involved.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#13551: acknowledged by developer (control message for bug #13551)
2019-09-27 16:12 ` Lars Ingebrigtsen
@ 2019-09-28 1:32 ` Richard Stallman
2019-09-28 19:47 ` Lars Ingebrigtsen
0 siblings, 1 reply; 7+ messages in thread
From: Richard Stallman @ 2019-09-28 1:32 UTC (permalink / raw)
To: Lars Ingebrigtsen; +Cc: 13551
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> I'm not sure I understand. I think it does do something completely
> predictable -- choose the key ring entry that matches what's in your
> "From" header.
We seem to be failing to commnuicate. My From header always says
"rms@gnu.org", but we're talking about the address I am sending to --
in the To field. Is that what you mean?
The behavior that you describe is totally unpredictable for me because
it depends on data I don't know, and have no other reason to know.
When foo@bar.com sends me a key, I don't notice what other addresses
that key covers. There is no reason to. And those alternate short
addresses are not listed by epa-list-keys.
If I have a key for 'arthur@gnu.org' and another for
'arthur@berkeley.edu', it is a nuisice for me to check which one, if
either, lists just 'arthur' as an address. Especially since when I
send mail to 'arthur@gnu.org' I may not even remember I know
'arthur@berkeley.edu'.
When I send mail to just 'arthur', that is equivalent by default to
'arthur@gnu.org'. I often omit '@gnu.org' knowing this.
Encryption should do the same thing: treat 'arthur' as short for
'arthur@gnu.org'. That way it will always encrypt for the person that
the mail is going to.
--
Dr Richard Stallman
Founder, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#13551: acknowledged by developer (control message for bug #13551)
2019-09-28 1:32 ` Richard Stallman
@ 2019-09-28 19:47 ` Lars Ingebrigtsen
2019-10-05 13:18 ` Richard Stallman
0 siblings, 1 reply; 7+ messages in thread
From: Lars Ingebrigtsen @ 2019-09-28 19:47 UTC (permalink / raw)
To: Richard Stallman; +Cc: 13551
Richard Stallman <rms@gnu.org> writes:
> > I'm not sure I understand. I think it does do something completely
> > predictable -- choose the key ring entry that matches what's in your
> > "From" header.
>
> We seem to be failing to commnuicate. My From header always says
> "rms@gnu.org", but we're talking about the address I am sending to --
> in the To field. Is that what you mean?
Yes; sorry.
> When I send mail to just 'arthur', that is equivalent by default to
> 'arthur@gnu.org'. I often omit '@gnu.org' knowing this.
>
> Encryption should do the same thing: treat 'arthur' as short for
> 'arthur@gnu.org'. That way it will always encrypt for the person that
> the mail is going to.
Emacs cannot possibly know that when you send to "arthur", that that
email will eventually end up going to "arthur@gnu.org". It could guess,
but guessing in an security context is a no go.
So if you want to send somebody secure messages, you have to tell Emacs
what address the mail is going to: You can't just say "arthur".
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#13551: acknowledged by developer (control message for bug #13551)
2019-09-28 19:47 ` Lars Ingebrigtsen
@ 2019-10-05 13:18 ` Richard Stallman
0 siblings, 0 replies; 7+ messages in thread
From: Richard Stallman @ 2019-10-05 13:18 UTC (permalink / raw)
To: Lars Ingebrigtsen; +Cc: 13551
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> Emacs cannot possibly know that when you send to "arthur", that that
> email will eventually end up going to "arthur@gnu.org".
Sure it can. It could get the domain from mail-host-address. We
could also create another variable specifically to control this.
The current behavior, as you described it, is not much better
security. It is unpredictable in practice for the user. However,
I am not sure how much security issue there is in sending A a message
encrypted for B. Nobody can decrypt that message.
I have seen reason to think that the current behavior doesn't match
what you described. I entered "To: rms" and encrypted the message.
It recognized that was me, rms@gnu.org, and encrypted with my key.
It did this even though my key does not list 'rms' with no host name as
an address (as far as I can tell).
gpg --edit-key rms@gnu.org gave me this:
pub 4096R/2C6464AF2A8E4C02 created: 2013-07-20 expires: never usage: SC
...
sub ...
[ultimate] (1). Richard Stallman <rms@gnu.org>
If the key had another address, wouldn't it be listed there?
In addition, after I run the encryption command,
plain 'rms' has been edited into 'rms@gnu.org'. How does it know
to make that change?
--
Dr Richard Stallman
Founder, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-10-05 13:18 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <87k19z0xut.fsf@gnus.org>
2013-01-25 21:32 ` bug#13551: 24.3.50; epa-mail-encrypt chooses wrong key Richard Stallman
2019-09-23 16:40 ` Lars Ingebrigtsen
[not found] ` <handler.13551.C.156925686512740.notifdonectrl.0@debbugs.gnu.org>
2019-09-27 11:05 ` bug#13551: acknowledged by developer (control message for bug #13551) Richard Stallman
2019-09-27 16:12 ` Lars Ingebrigtsen
2019-09-28 1:32 ` Richard Stallman
2019-09-28 19:47 ` Lars Ingebrigtsen
2019-10-05 13:18 ` Richard Stallman
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).