thread-based email index, search, and tagging https://git.notmuchmail.org/git/notmuch/atom?h=0.29 2019-05-29T11:02:45Z 2019-05-29T11:02:45Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-26T22:15:55Z urn:sha1:a6b0772b60d9191fcc291358eec3d78bfea31f1c When walking the MIME tree, if we discover that we are at the cryptographic payload, then we would like to record at least the Subject header of the current MIME part. In the future, we might want to record many other headers as well, but for now we will stick with just the Subject. See https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html#cryptographic-envelope for more description of the Cryptographic Payload vs. the Cryptographic Envelope. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-26T11:20:23Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-25T18:04:03Z urn:sha1:74919c226eafad4de6b3a823f83a8be970e77e24 E-mail encryption and signatures reported by notmuch are at the MIME part level. This makes sense in the dirty details, but for users we need to have a per-message conception of the cryptographic state of the e-mail. (see https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html for more discussion of why this is important). The object created in this patch is a useful for tracking the cryptographic state of the underlying message as a whole, based on a depth-first search of the message's MIME structure. This object stores a signature list of the message, but we don't handle it yet. Further patches in this series will make use of the signature list. 2019-05-07T09:41:28Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-06T19:45:51Z urn:sha1:5642efb72072167f5bcaa5025adbf0493fe171ba The comment line here lingers from when we were using some fancy version checking about session keys. Correct it to match the current state. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-03T09:56:38Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-02T13:19:41Z urn:sha1:b7ac4c05e118047442378f58eeb69d43bd1cbdb1 This means dropping GMimeCryptoContext and notmuch_config arguments. All the argument changes are to internal functions, so this is not an API or ABI break. We also get to drop the #define for g_mime_3_unused. signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-03T09:55:32Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-02T13:19:37Z urn:sha1:bb0b119358e4d6df5cc085a48cb3d2e09e396922 Our minimum version of GMime 3.0 always supports good session key handling. signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-05-03T09:55:04Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2019-05-02T13:19:36Z urn:sha1:096d45a878ba9606f1677f66d346b14c3c274fa5 Note that we do keep ignoring the gpg_path configuration option, though, to avoid breakage of existing installations. It is ignored like any other unknown configuration option, but we at least document that it is ignored so that people who find it in their legacy configs can know that it's safe to drop. signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2017-12-08T12:08:47Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2017-12-08T06:24:02Z urn:sha1:fccebbaeef1e4b6489425afb13f419543d53d285 Here's the configuration choice for people who want a cleartext index, but don't want stashed session keys. Interestingly, this "nostash" decryption policy is actually the same policy that should be used by "notmuch show" and "notmuch reply", since they never modify the index or database when they are invoked with --decrypt. We take advantage of this parallel to tune the behavior of those programs so that we're not requesting session keys from GnuPG during "show" and "reply" that we would then otherwise just throw away. 2017-12-08T12:08:47Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2017-12-08T06:24:01Z urn:sha1:29648a137c5807135ab168917b4a51d5e19e51c2 If you're going to store the cleartext index of an encrypted message, in most situations you might just as well store the session key. Doing this storage has efficiency and recoverability advantages. Combined with a schedule of regular OpenPGP subkey rotation and destruction, this can also offer security benefits, like "deletable e-mail", which is the store-and-forward analog to "forward secrecy". But wait, i hear you saying, i have a special need to store cleartext indexes but it's really bad for me to store session keys! Maybe (let's imagine) i get lots of e-mails with incriminating photos attached, and i want to be able to search for them by the text in the e-mail, but i don't want someone with access to the index to be actually able to see the photos themselves. Fret not, the next patch in this series will support your wacky uncommon use case. 2017-12-08T12:08:46Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2017-12-08T06:23:58Z urn:sha1:d137170b23f8ccd9f967445e101d6f694df1cad4 In our consolidation of _notmuch_crypto_decrypt, the callers lost track a little bit of whether any actual decryption was attempted. Now that we have the more-subtle "auto" policy, it's possible that _notmuch_crypto_decrypt could be called without having any actual decryption take place. This change lets the callers be a little bit smarter about whether or not any decryption was actually attempted. 2017-12-08T12:07:53Z Daniel Kahn Gillmor dkg@fifthhorseman.net 2017-12-08T06:23:53Z urn:sha1:e4890b5bf9e2260b36bcc36ddb77d8e97e2abe7d This new automatic decryption policy should make it possible to decrypt messages that we have stashed session keys for, without incurring a call to the user's asymmetric keys.