On 04/07/2014 05:06 PM, Mark Walters wrote:

> I think it is worse that that: I think (from what people said on irc
> some time ago) that the index contains the word and the position of that
> word so essentially the whole message can be reconstructed from the
> index.

Agree with Mark here, the warnings around such a feature should clearly
say "this stores a cleartext equivalent of your message in the notmuch
index."

Even if the index weren't structured in this way, modern natural
language processing techniques and a plausible training corpus should be
able to come very close to the original cleartext message, so it should
be treated as such.

fwiw, the workflow i outlined should make it so that users can receive
all messages encrypted; when they read each encrypted message, they get
a choice about whether to store a cleartext-equivalent in their notmuch
index. (note of course that it's possible to store your notmuch index on
an encrypted filesystem itself, for a different flavor of
confidentiality protection for the data once it's come to rest).

This per-message decision mechanism lets a thoughtful user make that
tradeoff on a piecemeal basis (it also allows for blanket
(mis)judgement, of course).  There are certainly some messages that one
might never want store in a cleartext index, while other messages might
be less sensitive to exposure while being more valuable to the user if
stored in a well-indexed, searchable local archive.

I think this is a feature worth having, despite the warning labels it
probably needs.

	--dkg