On Tue 2015-09-08 02:01:42 -0400, David Edmondson wrote: > On Mon, Sep 07 2015, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: >> On Thu 2015-08-20 09:12:26 -0400, David Edmondson wrote: >>> After listening to bremner, dkg et al. from Heidelberg, I threw together >>> a quick patch to see how we might indicate signature validity in the >>> fringe. The intention is to prompt more discussion - this code is not >>> ready to ship. >> >>> The patch is attached. The result looks something like: >>> http://dme.org/data/images/notmuch-signed-fringe.png >> >> I like the basic idea of this, thanks for putting it together. It's >> good to put security indicators in a region of the UI that the message >> content cannot modify or spoof. >> >> What do we think should be done if there are multiple nested signatures? > > Cry? heh :) > More seriously, we could use the indentation space for a similar > indicator, which would allow us some room at an appropriate depth for > each message (but not each part (in the default configuration)). hm, but couldn't the indentation space be spoofed by a well-crafted message? that is: a non-indented message will consume space up to (but not including) the fringe. so a well-crafted message could be made to *look* like an indented message, including whatever is comparable to the chrome/UI elements we would use for an actual signed message. I think it is also acceptable to just punt at some level -- we can say "notmuch-emacs will indicate the outermost signed message part in the fringe; it will not indicate nested signed messages in the fringe". this is still an improvement from the status quo. --dkg