From: Jameson Graef Rollins <jrollins@finestructure.net>
To: David Bremner <david@tethera.net>,
john.wyzer@gmx.de, notmuch@notmuchmail.org
Cc: Daniel Kahn Gillmor <dkg@debian.org>
Subject: Re: Feature suggestion. Indexing encrypted mail?
Date: Sat, 05 Apr 2014 12:09:32 -0700 [thread overview]
Message-ID: <87txa7pp8z.fsf@servo.finestructure.net> (raw)
In-Reply-To: <878urj1z3j.fsf@maritornes.cs.unb.ca>
[-- Attachment #1: Type: text/plain, Size: 2009 bytes --]
On Sat, Apr 05 2014, David Bremner <david@tethera.net> wrote:
> john.wyzer@gmx.de writes:
>
>> Would it be possible to add the configurable option to also decrypt
>> encrypted messages on the fly while indexing to make them searchable,
>> too?
>>
>> That would be really great for people that consider gnupg mainly an
>> encryption for transport or have their complete hard drive encrypted...
>
> As far I understand an attacker could reconstruct the message from the
> index, so one question is whether the extra complexity in notmuch is
> worth the minimal extra security over decrypting on delivery and storing
> plaintext on the (presumably encrypted) disk. Of course decrypting on
> delivery may be inconvenient (or impossible). I have CCed the two people
> who have implemented most of the crypto related stuff in notmuch so they
> can comment.
Indexing encrypted email is a bit of a foot-gun, since, as David
mentions, it is apparently possible to reconstruct encrypted messages
From the index. It therefore needs to be approached with care.
I think decrypting on "delivery" (or mail fetch or whatever) sounds
difficult and unwieldy. In either event, it seems out of the scope of
notmuch. If a user figured out how to have that done, no changes to
notmuch would be needed afaict.
I don't think it would be difficult modify notmuch new to decrypt at
indexing time. Given that gnupg agent would be used for accessing the
users private key for decryption, the interface would be fairly
straightforward.
A couple of decryption options could be added to notmuch new:
* don't decrypt: don't attempt to decrypt and index any encrypted
message (default)
* decrypt always: fail if any encrypted message could not be decrypted
* decrypt opportunistically: attempt to decrypt, but continue indexing
if an encrypted message could not be decrypted
If something like this is enabled, we should make sure we make the
dangers clear to the users.
jamie.
[-- Attachment #2: Type: application/pgp-signature, Size: 818 bytes --]
next prev parent reply other threads:[~2014-04-05 19:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-05 16:38 Feature suggestion. Indexing encrypted mail? john.wyzer
2014-04-05 17:10 ` David Bremner
2014-04-05 18:35 ` Jeremy Nickurak
2014-04-05 19:03 ` john.wyzer
2014-04-05 19:09 ` Jameson Graef Rollins [this message]
2014-04-06 9:15 ` Guyzmo
2014-04-06 22:16 ` Daniel Kahn Gillmor
2014-04-07 8:08 ` john.wyzer
2014-04-07 15:57 ` Jameson Graef Rollins
2014-04-07 20:15 ` Jeremy Nickurak
2014-04-07 20:31 ` Jameson Graef Rollins
2014-04-07 21:06 ` Mark Walters
2014-04-08 5:25 ` Daniel Kahn Gillmor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87txa7pp8z.fsf@servo.finestructure.net \
--to=jrollins@finestructure.net \
--cc=david@tethera.net \
--cc=dkg@debian.org \
--cc=john.wyzer@gmx.de \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).