From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <david@tethera.net>
Received: from localhost (localhost [127.0.0.1])
 by arlo.cworth.org (Postfix) with ESMTP id 0B59A6DE0282
 for <notmuch@notmuchmail.org>; Fri, 29 Jun 2018 04:51:17 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at cworth.org
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level: 
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[AWL=0.010, 
 SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled
Received: from arlo.cworth.org ([127.0.0.1])
 by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 9p7HUpx9eKxi for <notmuch@notmuchmail.org>;
 Fri, 29 Jun 2018 04:51:16 -0700 (PDT)
Received: from fethera.tethera.net (fethera.tethera.net [198.245.60.197])
 by arlo.cworth.org (Postfix) with ESMTPS id 360CE6DE0274
 for <notmuch@notmuchmail.org>; Fri, 29 Jun 2018 04:51:15 -0700 (PDT)
Received: from remotemail by fethera.tethera.net with local (Exim 4.89)
 (envelope-from <david@tethera.net>)
 id 1fYrvn-0003II-4Y; Fri, 29 Jun 2018 07:51:15 -0400
Received: (nullmailer pid 31306 invoked by uid 1000);
 Fri, 29 Jun 2018 11:51:14 -0000
From: David Bremner <david@tethera.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
 Notmuch Mail <notmuch@notmuchmail.org>
Subject: Re: [PATCH 17/20] cli/reply: add --protected-subject boolean flag
In-Reply-To: <20180511055544.13676-18-dkg@fifthhorseman.net>
References: <20180511055544.13676-1-dkg@fifthhorseman.net>
 <20180511055544.13676-18-dkg@fifthhorseman.net>
Date: Fri, 29 Jun 2018 08:51:14 -0300
Message-ID: <87d0w9vmj1.fsf@tethera.net>
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Use and development of the notmuch mail system."
 <notmuch.notmuchmail.org>
List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch/>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jun 2018 11:51:17 -0000

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> This flag indicates the intent of the client to protect the subject
> line, which allows "notmuch reply" to safely emit the earlier
> message's encrypted subject without risking leaking it in the clear in
> the reply.
>
> Obviously, it should only be used by a client that *will* protect the
> subject line.  This feels clumsier than i'd like, but we really don't
> want to be the ones who leak data on the wire that had been protected
> otherwise, and this seems like a safe way to ensure that the MUA is
> capable.
> ---
>  doc/man1/notmuch-reply.rst     | 12 ++++++++++++
>  notmuch-client.h               |  4 +++-
>  notmuch-reply.c                | 20 ++++++++++++--------
>  notmuch-show.c                 |  9 ++++++++-
>  test/T356-protected-headers.sh |  7 +++++++
>  5 files changed, 42 insertions(+), 10 deletions(-)
>
> diff --git a/doc/man1/notmuch-reply.rst b/doc/man1/notmuch-reply.rst
> index c893ba04..08aadba6 100644
> --- a/doc/man1/notmuch-reply.rst
> +++ b/doc/man1/notmuch-reply.rst
> @@ -70,6 +70,18 @@ Supported options for **reply** include
>          order, and copy values from the first that contains something
>          other than only the user's addresses.
>  
> +``--protected-subject=(true|false)``
> +
> +    Indicates that the replying client plans to protect (hide) the
> +    subject in the subsequent reply.  When replying to an encrypted
> +    message that itself has an encrypted subject, **notmuch**
> +    **reply** needs to propose a subject for the new reply e-mail.  If
> +    the client can handle protected subjects safely (if this flag is
> +    set to ``true``), then the cleartext subject will be proposed.
> +    Otherwise, the external (dummy) subject is proposed, to avoid
> +    leaking the previously protected subject on reply. Defaults to
> +    ``false``.
> +
>  ``--decrypt=(false|auto|true)``

What about using a keyword argument like --protected=subject ? that
would allow easy future addition of protected headers by specifying e.g.

      --protected=subject --protected=references

>      If ``true``, decrypt any MIME encrypted parts found in the
> diff --git a/notmuch-client.h b/notmuch-client.h
> index 0af96986..014fa064 100644
> --- a/notmuch-client.h
> +++ b/notmuch-client.h
> @@ -235,7 +235,9 @@ typedef enum {
>      /* typical "notmuch show" or other standard output: */
>      HEADERS_FORMAT_NORMAL = 0,
>      /* set only if this is being generated as a reply: */
> -    HEADERS_FORMAT_REPLY = 1 << 0
> +    HEADERS_FORMAT_REPLY = 1 << 0,
> +    /* set only if the invoking MUA will responsibly protect the subject line */
> +    HEADERS_FORMAT_PROTECTED_SUBJECT = 1 << 1
>  } notmuch_headers_format_flags;

a minor improvement might be to end the list with a ',' from the start
to minimize diff.

>  
> diff --git a/notmuch-reply.c b/notmuch-reply.c
> index 749eac6d..d1092ce9 100644
> --- a/notmuch-reply.c
> +++ b/notmuch-reply.c
> @@ -612,7 +612,8 @@ static int do_reply(notmuch_config_t *config,
>  		    notmuch_query_t *query,
>  		    notmuch_show_params_t *params,
>  		    int format,
> -		    bool reply_all)
> +		    bool reply_all,
> +		    bool protected_subject)

similarly, maybe use the already defined flag enum rather than a boolean
here.

d