Re: [PATCH] emacs: new crypto customization variable to control stashing of encryption session keys

[Jameson Graef Rollins <jrollins@finestructure.net>]

[-- Attachment #1: Type: text/plain, Size: 2036 bytes --]

On Tue, Jun 19 2018, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> This is looking good to me, thanks!
>
> two more bits of nit-pickery below:
>
> On Tue 2018-06-19 08:20:12 -0700, Jameson Graef Rollins wrote:
>> +(defcustom notmuch-show-stash-session-keys nil
>> +  "Should session keys be stashed when decrypting messages for display?
>> +
>> +If this variable is non-nil session keys recovered while
>> +decrypting messages for display will be stored in the database.
>> +See description of --decrypt option in notmuch-show(1) for more
>> +information.
>
> do we want to include a warning here about the security of the index?
> setting this value to true not only stashes the session keys, but it
> also indexes the cleartext.  at the moment we're not directing people to
> the same kind of warnings ("Be aware that the index… DO NOT USE …
> without considering the security of your index.") that are present
> already in notmuch-reindex(1) and notmuch-new(1) and notmuch-insert(1).
> Perhaps notmuch-show(1) needs the same boilerplate warning, and we could
> replicate some short version of it here too?

I was wondering if it would make sense to have a separate man page for
describing all the intricacies of notmuch's crypto functionality,
i.e. notmuch-crypto(7).  There's going to be a lot of
redundancy/boilerplate in all the different man pages, and it seems like
it would be useful to put it all in one place and just reference it from
all the others.

This could also be a good place to describe how protected headers are
handled, and autocrypt once we finally get around to implementing it.

>> +NOTE: Stashing encryption session keys requires opening the
>> +notmuch database in read/write mode, which is not normally done
>
> i'd say "not otherwise done" instead of "not normally done", since we
> don't want to claim that people who use this feature aren't "normal" :)

But the claim wouldn't not be true!

I'll push another (five copies of a new) version.

jamie.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]