From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 5609C6DE0BF6 for ; Mon, 30 Oct 2017 05:54:45 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.775 X-Spam-Level: X-Spam-Status: No, score=-0.775 tagged_above=-999 required=5 tests=[AWL=-0.776, UNPARSEABLE_RELAY=0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9R0KuU55kJG1 for ; Mon, 30 Oct 2017 05:54:44 -0700 (PDT) X-Greylist: delayed 509 seconds by postgrey-1.36 at arlo; Mon, 30 Oct 2017 05:54:43 PDT Received: from marcos.anarc.at (marcos.anarc.at [206.248.172.91]) by arlo.cworth.org (Postfix) with ESMTPS id B32876DE0BB9 for ; Mon, 30 Oct 2017 05:54:43 -0700 (PDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: anarcat) with ESMTPSA id 55EEE1A00AA From: =?utf-8?Q?Antoine_Beaupr=C3=A9?= To: notmuch@notmuchmail.org Cc: Daniel Kahn Gillmor Subject: Re: [PATCH] NEWS: cleartext indexing Message-ID: <8760b4a3cs.fsf@curie.anarc.at> References: <20171022153634.14802-1-dkg@fifthhorseman.net> Date: Mon, 30 Oct 2017 08:46:12 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Mon, 30 Oct 2017 08:00:20 -0700 X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Oct 2017 12:54:45 -0000 On 2017-10-22 11:36:34, Daniel Kahn Gillmor wrote: > + Note that the contents of the index are sufficient to roughly > + reconstruct the cleartext of the message itself, so please ensure > + that the notmuch index itself is adequately protected. DO NOT USE > + this feature without considering the security of your index. Could we expand on what those security options could be? Full disk encryption? Or is there some way to PGP-encrypt the index and have it decrypted on the fly? Security, in this context, seems a little broad... I do have a antsy feeling at decrypting all my private emails in a cleartext database without additional measures. I'd sure love to see this notion expanded here somehow. By the way, I have similar concerns about the autocrypt approach, which goes even further and says private key material should not be protected by a password at all: http://autocrypt.readthedocs.io/en/latest/level1.html#secret-key-protection= -at-rest It would be interesting to explain the rationale around those decisions (which autocrypt does) and possible safeguards that mitigate those issues (which autocrypt doesn't). Thanks! A. --=20 =C3=80 mesure que l'opression s'=C3=A9tend =C3=A0 tous les secteurs de la v= ie, la r=C3=A9volte prend l'allure d'une guerre sociale.=20 Les =C3=A9meutes renaissent et annoncent la r=C3=A9volution =C3=A0 venir. - Jean-Fran=C3=A7ois Brient, de la servitude moderne