From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dkg@fifthhorseman.net>
Received: from localhost (localhost [127.0.0.1])
 by arlo.cworth.org (Postfix) with ESMTP id 76CA56DE0164
 for <notmuch@notmuchmail.org>; Tue, 14 Nov 2017 05:59:32 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at cworth.org
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level: 
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[AWL=0.000]
 autolearn=disabled
Received: from arlo.cworth.org ([127.0.0.1])
 by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 2UokSeaLuMhm for <notmuch@notmuchmail.org>;
 Tue, 14 Nov 2017 05:59:31 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118])
 by arlo.cworth.org (Postfix) with ESMTP id A17A26DE010F
 for <notmuch@notmuchmail.org>; Tue, 14 Nov 2017 05:59:31 -0800 (PST)
Received: from fifthhorseman.net (unknown [118.200.9.16])
 by che.mayfirst.org (Postfix) with ESMTPSA id 32E37F99B;
 Tue, 14 Nov 2017 08:59:30 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000)
 id 650B821D08; Tue, 14 Nov 2017 21:58:17 +0800 (+08)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: David Bremner <david@tethera.net>, Notmuch Mail <notmuch@notmuchmail.org>
Subject: Re: [PATCH 05/18] crypto: Test restore of cleartext index from
 stashed session keys
In-Reply-To: <87o9o59f5b.fsf@tethera.net>
References: <20171025065203.24403-1-dkg@fifthhorseman.net>
 <20171025065203.24403-6-dkg@fifthhorseman.net> <87o9o59f5b.fsf@tethera.net>
Date: Tue, 14 Nov 2017 21:58:17 +0800
Message-ID: <87k1ytx8qu.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Use and development of the notmuch mail system."
 <notmuch.notmuchmail.org>
List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch/>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 13:59:32 -0000

On Tue 2017-11-14 09:13:52 -0400, David Bremner wrote:
> Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
>
>> If you've got a notmuch dump that includes stashed session keys for
>> every decrypted message, and you've got your message archive, you
>> should be able to get back to the same index that you had before.
>
> Out of curiousity, have you given any thought to what happens when
> someone sends a message with the same message-id but a different
> session-key? it seems like the user can potentially lose access to the
> encrypted message.

yep!  I even have that case in my own mailbox due to messages i've sent
to schleuder encrypted mailing lists to which i'm also subscribed.

It works fine.  notmuch stashes both session keys against the message-id
(you can have multiple properties with the same name as long as they
have different values).  And upon decryption, it tries each session-key
in succession.  This is a little bit sloppy (maybe it would be less
sloppy to associate each message key with each version of the message
somehow?), but it's significantly simpler and basically unnoticeable
compared to the speedup gains provided by the rest of the series.

         --dkg