Re: [PATCH 3/3] emacs: Drop content-free "Unknown signature status" button

Subject: Re: [PATCH 3/3] emacs: Drop content-free "Unknown signature status" button

Date: Tue, 23 Apr 2019 12:18:29 -0400

To: Notmuch Mail


From: Daniel Kahn Gillmor

On Mon 2019-04-22 13:26:05 -0400, Daniel Kahn Gillmor wrote:
> On Mon 2019-04-22 13:18:14 -0400, Daniel Kahn Gillmor wrote:
>> When we have not been able to evaluate the signature status of a given
>> MIME part, showing a content-free (and interaction-free) "[ Unknown
>> signature status ]" button doesn't really help the user at all, and
>> takes up valuable screen real-estate.
>> A visual reminder that a given message is *not* signed isn't helpful
>> unless it is always present, in which case we'd want to see "[ Unknown
>> signature status ]" buttons on all messages, even ones that don't have
>> a signing structure, but i don't think we want that.
> This is a small step down the path of making notmuch-emacs friendlier
> with regards to encrypted messages, but it's one that will have an
> effect on future patch series that work with encrypted messages.  I'd be
> happy to hear any concerns people have about this change, but i find
> notmuch-emacs is more pleasant to use this way.

I've heard from some people that they don't like this final patch
because the "[ Unknown signature status ]" button is at least an
indication that the message appears to be signed (even if we decided not
to -- or were unable to -- evaluate the signature).

I considered argument this when writing the patch initially, and i don't
think it's a good argument for two reasons:

 a) without actual signature verification, the user experience is
    trivially scammable by an adversary who knows how to craft a MIME
    message, and it's basically encouraging a user pattern that is
    something along the lines of:

    (though maybe a bit more subtle, based on MIME structure instead of
    the inline-signing that xkcd is mocking)

    This is a particularly bad security indicator and user experience.
    The thing isn't reliable, and it's not actionable in most cases.

 b) In the current state of the codebase, the presence of the button
    does *not* indicate that a signature-like thing is even present.  If
    you look at
    test/emacs-show.expected-output/notmuch-show-decrypted-message, that
    shows the cleartext view of a decrypted message which *does not*
    have an OpenPGP signature on it at all
    (test/corpora/crypto/basic-encrypted.eml is encrypted but unsigned).

I could imagine changing notmuch to fix concern (b) -- that is, hiding
the button just in the case where no signature-looking thing is present
at all.  But i haven't seen anyone even identify that problem publicly
yet, let alone offer a fix for it.

But i think that (a) is at least as big of a concern as (b); the fix i'm
proposing in this series is actually simpler than such a targeted fix
would be; and the fix in this series actually solves both problems.

If someone wants to offer a fix just for (b) on top of the first two
patches in this series, i'd happily advocate for it as better than the
status quo, which would let us put off (a) to a more interesting and
targeted discussion.

signature.asc (application/pgp-signature)
notmuch mailing list