From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id CF74540DBF8 for ; Tue, 16 Nov 2010 11:47:24 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: -2.89 X-Spam-Level: X-Spam-Status: No, score=-2.89 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, T_MIME_NO_TEXT=0.01] autolearn=ham Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LZoju6py9ejS; Tue, 16 Nov 2010 11:47:14 -0800 (PST) Received: from yoom.home.cworth.org (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 8298340DDC4; Tue, 16 Nov 2010 11:47:14 -0800 (PST) Received: by yoom.home.cworth.org (Postfix, from userid 1000) id 107FB25412B; Tue, 16 Nov 2010 11:47:14 -0800 (PST) From: Carl Worth To: Daniel Kahn Gillmor , notmuch Subject: Re: a proposed change to JSON output to report verification of PGP/MIME signatures. In-Reply-To: <4CDE4486.2050101@fifthhorseman.net> References: <4CDE4486.2050101@fifthhorseman.net> User-Agent: Notmuch/0.5 (http://notmuchmail.org) Emacs/23.2.1 (i486-pc-linux-gnu) Date: Tue, 16 Nov 2010 11:47:13 -0800 Message-ID: <87hbfhdpa6.fsf@yoom.home.cworth.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Nov 2010 19:47:25 -0000 --=-=-= Content-Transfer-Encoding: quoted-printable On Sat, 13 Nov 2010 02:55:50 -0500, Daniel Kahn Gillmor wrote: > i've been trying to wrap my head around how to get notmuch to support > verifying cryptographically-signed mail. i'm afraid my current > understanding of the problem space is that it is neither pretty nor > clean. Sorry for the length of this message. No apology necessary! I really appreciate you putting a lot of thought into this. [snip many details of proposal] > MIME is actually a tree structure, and any subtree can be signed. But > currently, "notmuch show" hides the tree structure and produces what > appears to be a linear set of parts. The current linearization of parts is a bug that should be fixed. And I think several aspects of your proposal are effectively workarounds for this bug. So I'd rather we fix the json output to emit the tree structure first, and then see what parts of the proposal can be eliminated. [And I think David Edmondson's reply said the same as above, but with more detail. Right?] > If you actually read this far, you are a champion! I look forward to > any feedback you have. The only other piece I think I'd like to see is actually making the content of the signature pieces available in the json output. Then, a client could do its own verification. Then if we had that would we not want to add the --verify support into notmuch? (My guess is that we still would want it.) =2DCarl =2D-=20 carl.d.worth@intel.com --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFM4t/B6JDdNq8qSWgRAhUyAJ41iN1Vhx3PovqrZUZn/SGZyFpIMQCggnCS voIkSQdkKNKYs8XyFeuQjmw= =dMm1 -----END PGP SIGNATURE----- --=-=-=--