From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id A9C696DE109D for ; Tue, 23 Apr 2019 09:18:58 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.148 X-Spam-Level: X-Spam-Status: No, score=-0.148 tagged_above=-999 required=5 tests=[AWL=0.053, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAnYRrimtERX for ; Tue, 23 Apr 2019 09:18:57 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by arlo.cworth.org (Postfix) with ESMTPS id BD8276DE0F16 for ; Tue, 23 Apr 2019 09:18:57 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1556036334; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=TPjTM6w1tt/q3PrR6ghZIwJBAoMfH8t91FGA6eBERW4=; b=uShSUTDXv1eEMdyf4nx13gYax1xQ/EJUHXy2nCbOu7DWhCR4DpTg7kWH JTiwD6nrNlJaNBRhHHcM3EqhINsXDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1556036334; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=TPjTM6w1tt/q3PrR6ghZIwJBAoMfH8t91FGA6eBERW4=; b=l6H0eQC1Cw5fbhg9z9Z62tcTKM8VR7CnBritM5t1Q08xsEl5aMqEXSHE cXgtu0ghhicdacvo9kpDG7TwZpOrlVHxodz+651FnPMVXvshL0G+ibvWmi LtJvIx+Bfh2MkodWXIkleKaA9OzzPPfOH/otigNTpyN4j0zsE/Vkm9AFLJ Xu6tno8jWYEyLRt/Jh+rTFzTgWKoHW4AOlyr00YqAA2jX5qZZ9nCtfDfy9 PANyUIgzUTCcZTdUmlkHFEwwQuMPvq2A9LNRr5EI/Yj6mJ8OoUcHQHmOi0 x6NySPrlBSipgEWqQcQ6K0wcfyWYPGlhtQPgY4iHEykevJTwRybgww== Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 782D1F99D for ; Tue, 23 Apr 2019 12:18:54 -0400 (EDT) Received: by fifthhorseman.net (Postfix, from userid 1000) id 887D6202A8; Tue, 23 Apr 2019 12:18:29 -0400 (EDT) From: Daniel Kahn Gillmor To: Notmuch Mail Subject: Re: [PATCH 3/3] emacs: Drop content-free "Unknown signature status" button In-Reply-To: <87v9z6uf2q.fsf@fifthhorseman.net> References: <20190422171814.16480-1-dkg@fifthhorseman.net> <20190422171814.16480-3-dkg@fifthhorseman.net> <87v9z6uf2q.fsf@fifthhorseman.net> Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Tue, 23 Apr 2019 12:18:29 -0400 Message-ID: <8736m8vgoa.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Apr 2019 16:18:58 -0000 --=-=-= Content-Type: text/plain On Mon 2019-04-22 13:26:05 -0400, Daniel Kahn Gillmor wrote: > On Mon 2019-04-22 13:18:14 -0400, Daniel Kahn Gillmor wrote: >> When we have not been able to evaluate the signature status of a given >> MIME part, showing a content-free (and interaction-free) "[ Unknown >> signature status ]" button doesn't really help the user at all, and >> takes up valuable screen real-estate. >> >> A visual reminder that a given message is *not* signed isn't helpful >> unless it is always present, in which case we'd want to see "[ Unknown >> signature status ]" buttons on all messages, even ones that don't have >> a signing structure, but i don't think we want that. > > This is a small step down the path of making notmuch-emacs friendlier > with regards to encrypted messages, but it's one that will have an > effect on future patch series that work with encrypted messages. I'd be > happy to hear any concerns people have about this change, but i find > notmuch-emacs is more pleasant to use this way. I've heard from some people that they don't like this final patch because the "[ Unknown signature status ]" button is at least an indication that the message appears to be signed (even if we decided not to -- or were unable to -- evaluate the signature). I considered argument this when writing the patch initially, and i don't think it's a good argument for two reasons: a) without actual signature verification, the user experience is trivially scammable by an adversary who knows how to craft a MIME message, and it's basically encouraging a user pattern that is something along the lines of: https://xkcd.com/1181/ (though maybe a bit more subtle, based on MIME structure instead of the inline-signing that xkcd is mocking) This is a particularly bad security indicator and user experience. The thing isn't reliable, and it's not actionable in most cases. b) In the current state of the codebase, the presence of the button does *not* indicate that a signature-like thing is even present. If you look at test/emacs-show.expected-output/notmuch-show-decrypted-message, that shows the cleartext view of a decrypted message which *does not* have an OpenPGP signature on it at all (test/corpora/crypto/basic-encrypted.eml is encrypted but unsigned). I could imagine changing notmuch to fix concern (b) -- that is, hiding the button just in the case where no signature-looking thing is present at all. But i haven't seen anyone even identify that problem publicly yet, let alone offer a fix for it. But i think that (a) is at least as big of a concern as (b); the fix i'm proposing in this series is actually simpler than such a targeted fix would be; and the fix in this series actually solves both problems. If someone wants to offer a fix just for (b) on top of the first two patches in this series, i'd happily advocate for it as better than the status quo, which would let us put off (a) to a more interesting and targeted discussion. --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXL861QAKCRB2GBllKa5f +LGNAP49UodOpUyQ9Y8FZ3umE90UFL4GXkpvn3QR6lqFJuLD0AEAwpvF3zRPftaf ylqo2hk8maTfYwFTmEZeiDpNpnGrLAQ= =q5AZ -----END PGP SIGNATURE----- --=-=-=--