Re: [PATCH v2 0/2] scaffolding for autocrypt support

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

[-- Attachment #1.1: Type: text/plain, Size: 4950 bytes --]

Hi David, all--

On Sun 2021-02-21 15:21:30 +0000, David Edmondson wrote:
> I started looking at how to add autocrypt support based on
> https://git.sr.ht/~zge/autocrypt.

Thanks for this work, i'm glad to see the interest in autocrypt!

I tend to think that the autocrypt handling belongs in libnotmuch, and
not just in the emacs frontend, so i'm a bit concerned about what we'll
have to prune out of the emacs frontend if we do manage to land the
features in libnotmuch itself.

I want it in libnotmuch and in the cli because:

 a) i want the database to hold the autocrypt tables, so that it can be
    dumped/restored between notmuch-based clients

 b) i want non-emacs frontends of notmuch to be able to make use of it
    relatively easily.

that said, i've failed to get the code into shape for libnotmuch yet,
and i also don't want to block this work -- i want to see more autocrypt
adoption generally, and i'm feeling guilty for having been so tardy in
getting ito into notmuch.

My general outline for getting autocrypt into notmuch is the following
list of steps.  it's a fairly long list, but each step shouldn't be a
huge amount of work.

 0) augment the database so that it can store the autocrypt "peers"
    table and the autocrypt "accounts" table, and they can be dumped and
    restored.  see
    https://autocrypt.org/level1.html#autocrypt-internal-state

 1) add a configuration option that affects "notmuch
    {new,insert,reindex}" that ingests the loading of autocrypt headers
    according to the standard policy for updating the peer state (see
    https://autocrypt.org/level1.html#updating-autocrypt-peer-state)

 2) add a configuration option that affects "notmuch
    {new,insert,reindex}" that enables detection of any Autocrypt Setup
    Message from another client sharing the same inbox, and adjusts the
    "accounts" table appropriately.

 3) add a "notmuch autocrypt" subcommand with its own subsubcommands:
    "notmuch autocrypt enable <addr> [mutual]" and "notmuch autocrypt
    disable <addr>" -- these subsubcommands update the "accounts" table
    as well.

 4) add "notmuch autocrypt generate-setup-message" subsubcommand for
    enabled accounts that produces its own self-targeted Autocrypt Setup
    Message on stdout, which can be injected into the mailsystem
    by the user's notmuch setup.

 5) Add "notmuch autocrypt prune" subsubcommand which clears accumulated
    cruft from the autocrypt peers table

 6) in libnotmuch, if <from> is a source e-mail address, and <to> is a
    set of destination addresses, add <is_replying_to_encrypted> is a
    boolean, a new function notmuch_autocrypt_recommendation(<from>,
    <to>, <is_replying_to_encrypted>) that returns an Autocrypt
    Recommendation (ui-recommendation and a set of target-keys, see
    https://autocrypt.org/level1.html#provide-a-recommendation-for-message-encryption)

 7) add a new subsubcommand that exposes
    notmuch_autocrypt_recommendation() to the cli.

 8) emacs frontend work during message composition (i have no idea how
    to do this) -- dynamically adjust the message composition buffer as
    the from, to, cc, and bcc fields change to show the current
    autocrypt recommendation status, in combination with the ability for
    the user to manually turn on encryption (if available) or off (if on
    by default).

 9) more emacs frontend work -- at send time (at the end of composition)
    if the autocrypt recommendation is encrypt, or if it's available and
    the user has manually turned it on, encrypt the message using
    standard autocrypt format (which is just PGP/MIME, using the
    recommended keys).

It's possible that (9) could be replaced with a new subcommand like
"notmuch send" which could have a "--autocrypt-checked" argument, such
that the notmuch cli actually does the full encryption for the user, or
acts as some sort of filter for the outgoing message.  there might also
be some library-level work that could use notmuch and gmime to translate
the message this way; I haven't really pieced those things together, or
how they would integrate into the emacs frontend, but the steps laid out
above seem to be necessary for that to happen in either case.

I'd love any collaboration on this -- especially for the parts that i
don't know how to do at all, like the emacs composition window frontend
-- but also on the earlier parts, as i've been procrastinating on it for
too long.

David, do you think this plan will collide with the series you're
proposing?  do you see problems or downsides with the plan sketched here
(other than it not existing 😛)?

> Sending seems straightforward, as far as I understand autocrypt, at
> least.

https://autocrypt.org and the #autocrypt channel on freenode are both
good resources for understanding autocrypt in more detail, fwiw.

     --dkg

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]