Emacs lagging for ~4min when opening from certain email.

Emacs lagging for ~4min when opening from certain email.

[navse]

[-- Attachment #1.1: Type: text/plain, Size: 424 bytes --]

Hello,

I have been using Notmuch with Emacs for a couple of days and it has been working great, except for when I open mails from a certain sender with S/MIME signed messages, Emacs will freeze up for about 4 minutes.
Opening the expandable signature inside of the Email repeats the lag.
Lag causing message is attached with confidential lines deleted.

Help is much appreciated and thank you for providing great FOSS.
- N

[-- Attachment #1.2: Type: text/html, Size: 1028 bytes --]

[-- Attachment #2: laggy_message_censored.bin --]
[-- Type: application/octet-stream, Size: 8214 bytes --]

Return-Path:
Received: 
X-Sieve: CMU Sieve 2.4
Received: 
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	
	
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=CENSORED.de; s=x2022-03;
	t=1642986061; bh=ppMyjjA6eX/Rz7yllT2jEjg7gte/r3Bfctpd7B6AsjU=;
	h=From:To:Reply-To:Subject:MIME-Version:Content-Type:Message-Id:
	 Date;
	b=qaJuNqeIVN8FQQZk6emUvcg+MpRFRHdFALCaehSIzPxUZG+dGdQUwHei/jpynIqPN
	 41qelGhwglBdGhPvJoQTQB2nTtOo+vIBqaM6VQ1QIFx6wEiozOYnSmU8zAjxpVEggx
	 iPHjpB3O9yhwgd1RWROC640Fh4kadLMZ3caVr2c4=
Received:
	
From:
To:
Reply-To:
Subject:=
Auto-Submitted: auto-generated
X-Auto-Response-Suppress: DR, OOF, AutoReply, NDR, RN
Precedence: bulk
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----8C7DA39324C1A477FAE48B092440FC8D"
Message-Id:
Date: Mon, 24 Jan 2022 02:01:01 +0100 (CET)
X-TUID: JLfg3ANo7QZY

This is an S/MIME signed message

------8C7DA39324C1A477FAE48B092440FC8D
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: quoted-printable

MESSAGE BODY CENSORED

------8C7DA39324C1A477FAE48B092440FC8D
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIITrwYJKoZIhvcNAQcCoIIToDCCE5wCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgghDCMIIFrDCCBJSgAwIBAgIHG2O60B4sPTANBgkqhkiG9w0BAQsF
ADCBlTELMAkGA1UEBhMCREUxRTBDBgNVBAoTPFZlcmVpbiB6dXIgRm9lcmRlcnVu
ZyBlaW5lcyBEZXV0c2NoZW4gRm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UE
CxMHREZOLVBLSTEtMCsGA1UEAxMkREZOLVZlcmVpbiBDZXJ0aWZpY2F0aW9uIEF1
dGhvcml0eSAyMB4XDTE2MDUyNDExMzg0MFoXDTMxMDIyMjIzNTk1OVowgY0xCzAJ
BgNVBAYTAkRFMUUwQwYDVQQKDDxWZXJlaW4genVyIEZvZXJkZXJ1bmcgZWluZXMg
RGV1dHNjaGVuIEZvcnNjaHVuZ3NuZXR6ZXMgZS4gVi4xEDAOBgNVBAsMB0RGTi1Q
S0kxJTAjBgNVBAMMHERGTi1WZXJlaW4gR2xvYmFsIElzc3VpbmcgQ0EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdO3kcR94fhsvGadcQnjnX2aIw23Ic
BX8pX0to8a0Z1kzhaxuxC3+hq+B7i4vYLc5uiDoQ7lflHn8EUTbrunBtY6C+li5A
4dGDTGY9HGRp5ZukrXKuaDlRh3nMF9OuL11jcUs5eutCp5eQaQW/kP+kQHC9A+e/
nhiIH5+ZiE0OR41IX2WZENLZKkntwbktHZ8SyxXTP38eVC86rpNXp354ytVK4hrl
7UF9U1/Isyr1ijCs7RcFJD+2oAsH/U0amgNSoDac3iSHZeTn+seWcyQUzdDoG2ie
GFmudn730Qp4PIdLsDfPU8o6OBDzy0dtjGQ9PFpFSrrKgHy48+enTEzNAgMBAAGj
ggIFMIICATASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjApBgNV
HSAEIjAgMA0GCysGAQQBga0hgiweMA8GDSsGAQQBga0hgiwBAQQwHQYDVR0OBBYE
FGs6mIv58lOJ2uCtsjIeCR/oqjt0MB8GA1UdIwQYMBaAFJPj2DIm2tXxSqWRSuDq
S+KiDM/hMIGPBgNVHR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9jZHAxLnBjYS5kZm4u
ZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwQKA+oDyGOmh0
dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9j
YWNybC5jcmwwgd0GCCsGAQUFBwEBBIHQMIHNMDMGCCsGAQUFBzABhidodHRwOi8v
b2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwSgYIKwYBBQUHMAKGPmh0
dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NhY2Vy
dC9jYWNlcnQuY3J0MEoGCCsGAQUFBzAChj5odHRwOi8vY2RwMi5wY2EuZGZuLmRl
L2dsb2JhbC1yb290LWcyLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG
9w0BAQsFAAOCAQEAgXhFpE6kfw5V8Amxaj54zGg1qRzzlZ4/8/jfazh3iSyNta0+
x/KUzaAGrrrMqLGtMwi2JIZiNkx4blDw1W5gjU9SMUOXRnXwYuRuZlHBQjFnUOVJ
5zkey5/KhkjeCBT/FUsrZpugOJ8Azv2n69F/Vy3ITF/cEBGXPpYEAlyEqCk5bJT8
EJIGe57u2Ea0G7UDDDjZ3LCpP3EGC7IDBzPCjUhjJSU8entXbveKBTjvuKCuL/Tb
B9VbhBjBqbhLzmyQGoLkuT36d/HSHzMCv1PndvncJiVBby+mG/qkE5D6fH7ZC2Bd
7L/KQaBh+xFJKdioLXUV2EoY6hbvVTQiGhONBjCCBRIwggP6oAMCAQICCQDjC9X4
ryXZgTANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQt
U3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lz
dGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290
IENsYXNzIDIwHhcNMTYwMjIyMTMzODIyWhcNMzEwMjIyMjM1OTU5WjCBlTELMAkG
A1UEBhMCREUxRTBDBgNVBAoTPFZlcmVpbiB6dXIgRm9lcmRlcnVuZyBlaW5lcyBE
ZXV0c2NoZW4gRm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UECxMHREZOLVBL
STEtMCsGA1UEAxMkREZOLVZlcmVpbiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAy
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy2DX/2ahQc3S+oeXinOr
mU3qZzlaoWCARxVOjJWy5c/O01dLjc74VmwVVXYH6kb9yANFYz5w1KtUgLEjnL43
KKkJ/wVdGA/EmJk3syD2ZngXh8KdDsxKMucWna4OjSl5BwAgVNwVX0qW13i2NNPB
dLWd6b/Ad03qvVkH4FovbDylANw1vWUNj38ybfJaaktiAe6sODRZRTZJBdp4ympt
W8CBaxHM0jyoi/hxGso74oDdFrRneos26k6RKT2zUVytqAy+nTTj0Q0Xg3XEOR6w
lAsS8dVpjiX0uD0rv8COwx47pb9VEKsqrheXXjPOyPP0CQfjAoYxRmsBxRAMEcdZ
6QIDAQABo4IBdDCCAXAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBST49gyJtrV
8UqlkUrg6kviogzP4TAfBgNVHSMEGDAWgBS/WSA2AHmgoCJrjNXyYdK4LMuCSjAS
BgNVHRMBAf8ECDAGAQH/AgECMDMGA1UdIAQsMCowDwYNKwYBBAGBrSGCLAEBBDAN
BgsrBgEEAYGtIYIsHjAIBgZngQwBAgIwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDov
L3BraTAzMzYudGVsZXNlYy5kZS9ybC9UZWxlU2VjX0dsb2JhbFJvb3RfQ2xhc3Nf
Mi5jcmwwgYYGCCsGAQUFBwEBBHoweDAsBggrBgEFBQcwAYYgaHR0cDovL29jc3Aw
MzM2LnRlbGVzZWMuZGUvb2NzcHIwSAYIKwYBBQUHMAKGPGh0dHA6Ly9wa2kwMzM2
LnRlbGVzZWMuZGUvY3J0L1RlbGVTZWNfR2xvYmFsUm9vdF9DbGFzc18yLmNlcjAN
BgkqhkiG9w0BAQsFAAOCAQEAhwv/PgKbZchWLdY7mpiLcU/auimqIflGLvWypA+u
ETh5OLMOdLp2XZ7oGIKWYttMM+jd+WrfMr0sTEdgVX/ndGu0LIPYeWu2t01QC2YH
te2zl63q7n8w5pn9IuJyTT6EW+75z5nqf9dSOS6smABEfmk7v3Xu0As7Gs3l9w8i
bEeE9qVHoP3QGjR9rdI9d7Pu9NdN/8Po5ZJPWT6QRxBKsIVYwG9/+K7tCEKeHtTf
FC5Nj7yelMPn7fYY+DxJ5yaopzbYLN4izYuC2Nl44lUSozuHRLYRC9UMUq9pjA8G
39CiU4tXmHvP/Qck9Py9w/1KkgKXG/K3ts9lihqitXIZOTCCBfgwggTgoAMCAQIC
DCJBHbg+HZR4PfHGvDANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCREUxRTBD
BgNVBAoMPFZlcmVpbiB6dXIgRm9lcmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4gRm9y
c2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UECwwHREZOLVBLSTElMCMGA1UEAwwc
REZOLVZlcmVpbiBHbG9iYWwgSXNzdWluZyBDQTAeFw0yMDAxMTcxMTUzMTNaFw0y
MzAxMTYxMTUzMTNaMIGYMQswCQYDVQQGEwJERTEQMA4GA1UECAwHSGFtYnVyZzEQ
MA4GA1UEBwwHSGFtYnVyZzEoMCYGA1UECgwfVGVjaG5pc2NoZSBVbml2ZXJzaXRh
ZXQgSGFtYnVyZzEWMBQGA1UECwwNUmVjaGVuemVudHJ1bTEjMCEGA1UEAwwaR1JQ
OktFUkJFUk9TLlRVLUhBUkJVUkcuREUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDCV8RxvDCeCDWQudzrF27+2kcFKFfPYNG639G0h4UOa3Z6gCPSXWaR
CzqcckrQ2nxueicColTRrGKekfnTc6LpV44aJHU/yPrAJxqNhr31zGcNf+j8iFdc
UIXLrUMCajd4VgQcrlMv51+4FOUdyKWAO4R2sX7uMFUO/dEY0uOU6WzacP1gbRNi
KcINQ/aTLBWzkLK+cg7158QGTIAPYpFXgnCp9n5WpqppxFvh9uhape6lm8nCmKzN
iEOQJ3xZwYF0KLiufAMfEe2GSDaAnRf7/i3nMC824ZqqbUkgR9KgvDuDW63l4fRG
Ruvi+a4m5IjmR9jRCYtbNMCEDppCewZRAgMBAAGjggJJMIICRTA+BgNVHSAENzA1
MA8GDSsGAQQBga0hgiwBAQQwEAYOKwYBBAGBrSGCLAEBBAQwEAYOKwYBBAGBrSGC
LAIBBAQwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYB
BQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBQUlYFpbYl7UIXKLCe8FT+ljVlMojAf
BgNVHSMEGDAWgBRrOpiL+fJTidrgrbIyHgkf6Ko7dDAbBgNVHREEFDASgRBrZXJi
ZXJvc0B0dWhoLmRlMIGNBgNVHR8EgYUwgYIwP6A9oDuGOWh0dHA6Ly9jZHAxLnBj
YS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wdWIvY3JsL2NhY3JsLmNybDA/oD2g
O4Y5aHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tY2EtZ2xvYmFsLWcyL3B1Yi9j
cmwvY2FjcmwuY3JsMIHbBggrBgEFBQcBAQSBzjCByzAzBggrBgEFBQcwAYYnaHR0
cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEkGCCsGAQUFBzAC
hj1odHRwOi8vY2RwMS5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2Nh
Y2VydC9jYWNlcnQuY3J0MEkGCCsGAQUFBzAChj1odHRwOi8vY2RwMi5wY2EuZGZu
LmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NhY2VydC9jYWNlcnQuY3J0MA0GCSqG
SIb3DQEBCwUAA4IBAQBDDuk9wNobbnL6FSf8/o0XFXlBFO/x/bCD0NZ8RgLcEb+S
TEvZN43C26FK/q5p0ngvW4PH8h9zWVxktohNY9jvwWRZ2S4b09ovJJ+YFxt/ojmT
UbFehqQg/Dbt9FDCBF3nuUhO3tgY8q5oLX5+FV+QIZ5QAOrByqoaS9HPIOlufaUC
qbpkk7HxdNThu0iSmSUXrxweJhgoInRZdZxyHmgIHpJ/YtDhyL0pwu5QF2Ef7S6c
D+TwsSzbxvb7JKlllJP9RZjucrr9wwXi7PF7qZtQBC4awSt3olj3MB/yTUfHgNcC
8Qy/XTu00xzpleGpWOt+9zrFoDMK6haLXJcDPdHZMYICsTCCAq0CAQEwgZ4wgY0x
CzAJBgNVBAYTAkRFMUUwQwYDVQQKDDxWZXJlaW4genVyIEZvZXJkZXJ1bmcgZWlu
ZXMgRGV1dHNjaGVuIEZvcnNjaHVuZ3NuZXR6ZXMgZS4gVi4xEDAOBgNVBAsMB0RG
Ti1QS0kxJTAjBgNVBAMMHERGTi1WZXJlaW4gR2xvYmFsIElzc3VpbmcgQ0ECDCJB
Hbg+HZR4PfHGvDANBglghkgBZQMEAgEFAKCB5DAYBgkqhkiG9w0BCQMxCwYJKoZI
hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMjAxMjQwMTAxMDFaMC8GCSqGSIb3DQEJ
BDEiBCBGEI2ipQF+uWEDGdhKzJxSQPacbYhYKD+DykUXgvUt6zB5BgkqhkiG9w0B
CQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJYIZIAWUDBAECMAoG
CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMC
BzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQBaUcPzYBPSCFvsU+Tr
tYlxT/96Z1I/JUlrcGp8cSsLao+l3S/ImQWvKs00n5/GGWsD3/Bnc9cTF9Qw0obY
usFl805xrw75W13xTEOWJCY9Y6JL1n+gxBk6k+LPDYPd5mCBKn0ypAf4ckDijyJ8
2VBmrVt64BOwvd+8qtOoiWu2qfOlyS7/aA6/VKKsW5VsEBgE5m8J/mqPUv8LusXz
WCJ7XzhWlVlaCDFtTBb1DxV5cqZ/EPFjGkTuuvzxsM5IDNbELL2e4YXGf8ONRtxl
nOkWN+A5hDEawVEfiQxUHhA67VkfZwdEqAAFS8XB7rjUSUU7/wdg9Gbf0cg8cYzg
BqjR

------8C7DA39324C1A477FAE48B092440FC8D--



[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: Emacs lagging for ~4min when opening from certain email.

[David Bremner]

navse@mailbox.org writes:

> Hello,
>
> I have been using Notmuch with Emacs for a couple of days and it has
> been working great, except for when I open mails from a certain sender
> with S/MIME signed messages, Emacs will freeze up for about 4 minutes.
> Opening the expandable signature inside of the Email repeats the lag.
> Lag causing message is attached with confidential lines deleted.
>
> Help is much appreciated and thank you for providing great FOSS.
> - N

S/MIME has this feature (design flaw?) where it wants to phone home to
see if the certificate has been revoked.  This can result in the kinds
of delays you describe. One option is to add "disable-crl-checks" to
~/.gnupg/dirmngr.conf. This will have the side effect that you will not
be notified about certificate revocations (unless maybe you re-fetch the
cert?).

Re: Emacs lagging for ~4min when opening from certain email.

[Justus Winter]

[-- Attachment #1.1: Type: text/plain, Size: 944 bytes --]

Hi,

navse@mailbox.org writes:

> I have been using Notmuch with Emacs for a couple of days and it has
> been working great, except for when I open mails from a certain sender
> with S/MIME signed messages, Emacs will freeze up for about 4 minutes.
> Opening the expandable signature inside of the Email repeats the lag.

Just to point you into the right direction, I'm pretty sure that this is
gpgsm reaching out to a network server, maybe to fetch certificate
revocation lists or something.  I'm not too familiar with gpgsm.

Depending on your needs, there are several things to do.

If you don't need S/MIME at all, uninstall or chmod 0 gpgsm.  That is
what I do :D

If you need S/MIME, consult man gpgsm, there are switches that turn off
certain things involving network services (e.g. disable-crl-checks), or
all network services (disable-dirmngr).  Beware, this may change
semantics or weaken the S/MIME support.

Hope that helps,
Justus

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Emacs lagging for ~4min when opening from certain email.

[David Bremner]

David Bremner <david@tethera.net> writes:

> navse@mailbox.org writes:
>
>> Hello,
>>
>> I have been using Notmuch with Emacs for a couple of days and it has
>> been working great, except for when I open mails from a certain sender
>> with S/MIME signed messages, Emacs will freeze up for about 4 minutes.
>> Opening the expandable signature inside of the Email repeats the lag.
>> Lag causing message is attached with confidential lines deleted.
>>
>> Help is much appreciated and thank you for providing great FOSS.
>> - N

I don't know if this is related to the censoring, or just a difference
in our gpgsm setups, but I only noticed the delay the first time I
opened the message. I think there is likely some caching going on with
gpgsm, but it might also be because the signature is recognized as bad,
so the CRL check is not done.

d

certificate revocation checking for signed e-mail [was: Re: Emacs lagging for ~4min when opening from certain email.]

[Daniel Kahn Gillmor]

[-- Attachment #1.1: Type: text/plain, Size: 2197 bytes --]

On Mon 2022-01-24 14:02:33 +0100, Justus Winter wrote:
> navse@mailbox.org writes:
>
>> I have been using Notmuch with Emacs for a couple of days and it has
>> been working great, except for when I open mails from a certain sender
>> with S/MIME signed messages, Emacs will freeze up for about 4 minutes.
>> Opening the expandable signature inside of the Email repeats the lag.
>
> Just to point you into the right direction, I'm pretty sure that this is
> gpgsm reaching out to a network server, maybe to fetch certificate
> revocation lists or something.

I think Justus is on target about what the issue is here.

GnuPG upstream appears to think that the privacy and latency costs of
default revocation checking are an acceptable tradeoff:

    https://dev.gnupg.org/T3348

The S/MIME standard barely touches on revocation checking, and doesn't
seem to mandate it or refuse it:

    https://www.rfc-editor.org/rfc/rfc8551.html

The IETF LAMPS working group has adopted a document about guidance for
end-to-end cryptographic protections for e-mail, which currently has a
FIXME in the section about revocation checking:

    https://www.ietf.org/archive/id/draft-ietf-lamps-e2e-mail-guidance-02.html#name-checking-for-revocation

I'm the original author and editor of that draft, and i would be *very*
happy to get additional feedback/suggestions/contributed text about what
folks think *should* be done here.

If you might be interested in making a contribution, the LAMPS WG
mailing list is spasm@ietf.org, or you can reply to me on this thread,
or you can open issues or merge requests at
https://gitlab.com/dkg/lamps-header-protection

Arguably for notmuch, one of the ways to address this (or at least to
amortize the costs) would be to cache the results of signature
verification so that it doesn't happen for every message every time you
view a thread.  Presumably a cached sig verification could also skip
over cert revocation checks.  See id:87sgodxlk0.fsf@fifthhorseman.net on
this mailing list (from me, Subject: "performance on long
encrypted+signed threads" Date: 2019-09-30) for more discussion of the
problem.  Regrettably, i haven't made any progress on fixing it.

        --dkg

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]