From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 8772A6DE01C2 for ; Thu, 28 Dec 2017 19:51:40 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.009 X-Spam-Level: X-Spam-Status: No, score=-0.009 tagged_above=-999 required=5 tests=[AWL=-0.009] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7fVOSQXDH8mj for ; Thu, 28 Dec 2017 19:51:36 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by arlo.cworth.org (Postfix) with ESMTPS id 8702A6DE014D for ; Thu, 28 Dec 2017 19:51:36 -0800 (PST) Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id B8EFFF99D; Thu, 28 Dec 2017 22:51:35 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id F274920C30; Thu, 28 Dec 2017 22:51:31 -0500 (EST) From: Daniel Kahn Gillmor To: David Bremner , Notmuch Mail Subject: Re: [PATCH v4 2/3] cli/show: make --decrypt take a keyword. In-Reply-To: <877etda4p8.fsf@tethera.net> References: <20171219164055.20778-1-dkg@fifthhorseman.net> <20171219164055.20778-3-dkg@fifthhorseman.net> <877etda4p8.fsf@tethera.net> Date: Thu, 28 Dec 2017 22:51:31 -0500 Message-ID: <87efnei43g.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 03:51:40 -0000 On Sat 2017-12-23 10:39:47 -0400, David Bremner wrote: > One thing that gave me pause is the fact that --decrypt=auto does not > verify by default. What are the security implications of this? The only issue is that some messages that are correctly signed are marked as unsigned if the user hasn't chosen to explicitly --decrypt. The reverse failure would be the real security problem, but that's not happening here :) > Do we verify when indexing? Does this require more documentation? We do not verify when indexing at all, because we have nothing to do with any statement about signature verification during indexing (we aren't caching it in the database, for example) If notmuch was to do something more clever with signature verification, i'd be interested in working on it, but i'm not currently clear what that would be, specifically (e.g. Patrick Brunschwig and i discussed some interesting thoughts about signature verification for enigmail that resulted in this mailing list post [0]). But i don't think these decisions are ones that need to be made in the context of this particular series. all that said, if anyone has been thinking about signature verification for e-mail, i'd be happy to hear your thoughts on how notmuch could do better there. --dkg [0] https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2017-November/004683.html