What, Where, When
=================

*  Bremner and dkg are co-hosting a BoF at [debconf](https://summit.debconf.org/debconf15/meeting/217/improving-privacy-and-security-for-notmuch-mail/).

* The meeting is Monday 2015-08-17, 1700-1800 CET

* Video streaming should be [available](https://wiki.debconf.org/wiki/DebConf15/Videostream/Amsterdam)


Agenda
======

Moving parts for secure e-mail
------------
* libxapian  (C++, full text search)
* libgmime (C, glib, RFC822+MIME library)
* libnotmuch (C and C++)
* /usr/bin/notmuch (C)
* GnuPG (C)
* Emacs UI (emacs lisp)
  * notmuch-emacs
  * mml-mode, mm multimedia rendering library
* Alot / nmbug / nmbug-status (python)
  * python-bindings
* webmail:
  * noservice (Clojure)
  * notmuch web (Haskell)

Security and privacy concerns
-----------------------------
* privacy leaks rendering messages
* message-id collisions
* Oops I just sent...
  * wrong key selection during composition
  * reply (message mode defaults)
* inline PGP

* webmail authentication/authorization (multiple users?)
* webmail message escaping (XSS, etc)
* shell injection
* terminal escape sequences
* S/MIME support
  * signatures
  * encryption
* reproducible builds:
  [sphinx man pages](https://reproducible.debian.net/rb-pkg/testing/amd64/notmuch.html)

### usability as security?

* indexing encrypted mail
* Memory Hole protected headers
* key selection indicators during composition


Breakout sessions
-----------------

* based on moving part

Reportbacks
-----------



-------------------------


more complete agenda:

        * S/MIME signatures and encryption
            * test suites
            * integration with other keyrings
            * signature only (easyish) versus encryption (more work)
        * Improving the security of the Emacs MML mime composer
            * automated "encrypt-when-i-have-keys-available" mode or other convenience functions?
            * can an adversary force signatures based on quoted text?
            * generate memory-hole-style messages
        * Searching of GPG encrypted mail
            * possible implementation mechanism: "notmuch reindex --with-filter=decrypt"
        * Auditing and fixing "webbug" style problems in front ends
            * can we instruct emacs to restrict all network access from notmuch?
            * what other frontends might call out to the network?
        * Making notmuch build reproducibly
            * https://reproducible.debian.net/rb-pkg/unstable/amd64/notmuch.html
        * Protect against spoofed signature verification?
            * how do we deal with multipart messages where only a subtree is signed?
            * are other sorts of spoofing possible?
        * read and display memory-hole-style messages
        * "safe" ways to display html parts (e.g. without text/plain alternatives)