From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Notmuch Mail <notmuch@notmuchmail.org>
Subject: Stashed session keys
Date: Wed, 25 Oct 2017 02:51:45 -0400 [thread overview]
Message-ID: <20171025065203.24403-1-dkg@fifthhorseman.net> (raw)
Now that cleartext indexing is merged, let's add the ability to stash
session keys!
Background
==========
Encrypted e-mail messages are "hybrid" encryption. The message body
is encrypted with an ephemeral session key, and then that session key
is itself encrypted to the user's public key.
If an MUA retains (or obtains) a copy of the session key for a given
message, it can access the cleartext of that message without needing
any access to the user's private key material.
This offers possible wins in efficiency, usability, convenience *and*
security, as the series hopefully makes clear.
Decryption Policies
===================
At the end of the series, there are four sensible policies defined for
message decryption and stashing of session keys. There are only two i
expect to see any widespread regular use: "auto", and "true". But
hopefully the reasons for including the other two policies ("false"
and "nostash") are made clear by the series itself.
I'll replicate here the table this series adds to notmuch-config(1),
in describing the available values for index.try_decrypt:
+------------------------+-------+------+---------+------+
| | false | auto | nostash | true |
+========================+=======+======+=========+======+
| Index cleartext using | | X | X | X |
| stashed session keys | | | | |
+------------------------+-------+------+---------+------+
| Index cleartext | | | X | X |
| using secret keys | | | | |
+------------------------+-------+------+---------+------+
| Stash session keys | | | | X |
+------------------------+-------+------+---------+------+
| Delete stashed session | X | | | |
| keys on reindex | | | | |
+------------------------+-------+------+---------+------+
Please let me know what you think! I'd love feedback and critique.
Happy hacking,
--dkg
next reply other threads:[~2017-10-25 6:52 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-25 6:51 Daniel Kahn Gillmor [this message]
2017-10-25 6:51 ` [PATCH 01/18] mime-node: handle decrypt_result more safely Daniel Kahn Gillmor
2017-10-25 6:51 ` [PATCH 02/18] crypto: add _notmuch_crypto_decrypt wrapper function Daniel Kahn Gillmor
2017-10-25 6:51 ` [PATCH 03/18] crypto: use stashed session-key properties for decryption, if available Daniel Kahn Gillmor
2017-10-26 19:00 ` Daniel Kahn Gillmor
2017-11-14 13:02 ` David Bremner
2017-11-14 13:54 ` Daniel Kahn Gillmor
2017-11-15 12:59 ` David Bremner
2017-10-25 6:51 ` [PATCH 04/18] test/corpora: add an encrypted message for index decryption tests Daniel Kahn Gillmor
2017-10-25 6:51 ` [PATCH 05/18] crypto: Test restore of cleartext index from stashed session keys Daniel Kahn Gillmor
2017-11-14 13:13 ` David Bremner
2017-11-14 13:58 ` Daniel Kahn Gillmor
2017-11-14 14:27 ` David Bremner
2017-10-25 6:51 ` [PATCH 06/18] lib: convert notmuch decryption policy to an enum Daniel Kahn Gillmor
2017-10-25 6:51 ` [PATCH 07/18] crypto: new decryption policy "auto" Daniel Kahn Gillmor
2017-11-11 23:14 ` Jameson Graef Rollins
2017-11-12 3:39 ` Daniel Kahn Gillmor
2017-11-12 15:26 ` Jameson Graef Rollins
2017-11-14 13:21 ` David Bremner
2017-10-25 6:51 ` [PATCH 08/18] cli/reply: use decryption policy "auto" by default Daniel Kahn Gillmor
2017-10-25 6:51 ` [PATCH 09/18] cli/show: " Daniel Kahn Gillmor
2017-10-25 6:51 ` [PATCH 10/18] cli/show, reply: document use of stashed session keys in notmuch-properties Daniel Kahn Gillmor
2017-10-25 6:51 ` [PATCH 11/18] cli/new, insert, reindex: update documentation for --try-decrypt=auto Daniel Kahn Gillmor
2017-11-15 20:02 ` David Bremner
2017-10-25 6:51 ` [PATCH 12/18] crypto: record whether an actual decryption attempt happened Daniel Kahn Gillmor
2017-10-25 6:51 ` [PATCH 13/18] cli/new, insert, reindex: change index.try_decrypt to "auto" by default Daniel Kahn Gillmor
2017-11-16 12:40 ` David Bremner
2017-11-30 6:16 ` Daniel Kahn Gillmor
2017-10-25 6:51 ` [PATCH 14/18] cli/reindex: destroy stashed session keys when --try-decrypt=false Daniel Kahn Gillmor
2017-10-25 6:52 ` [PATCH 15/18] crypto: actually stash session keys when try-decrypt=true Daniel Kahn Gillmor
2017-11-16 12:53 ` David Bremner
2017-11-30 15:57 ` Daniel Kahn Gillmor
2017-12-02 1:56 ` David Bremner
2017-10-25 6:52 ` [PATCH 16/18] crypto: add --try-decrypt=nostash to avoid stashing session keys Daniel Kahn Gillmor
2017-10-25 14:46 ` Daniel Kahn Gillmor
2017-11-16 13:02 ` David Bremner
2017-10-25 6:52 ` [PATCH 17/18] docs: clean up documentation about decryption policies Daniel Kahn Gillmor
2017-10-25 6:52 ` [PATCH 18/18] python: add try_decrypt argument to Database.index_file() Daniel Kahn Gillmor
2017-11-16 13:06 ` David Bremner
2017-11-30 15:58 ` Daniel Kahn Gillmor
2017-11-11 7:56 ` Stashed session keys Daniel Kahn Gillmor
2017-11-11 23:31 ` Jameson Graef Rollins
2017-11-12 3:51 ` Daniel Kahn Gillmor
2017-11-12 15:15 ` Jameson Graef Rollins
2017-11-12 18:51 ` Daniel Kahn Gillmor
2017-11-15 22:41 ` meskio
2017-11-16 16:03 ` Daniel Kahn Gillmor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171025065203.24403-1-dkg@fifthhorseman.net \
--to=dkg@fifthhorseman.net \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).