* Bremner and dkg are co-hosting a BoF at [debconf](https://summit.debconf.org/debconf15/meeting/217/improving-privacy-and-security-for-notmuch-mail/).
-* The meeting is Monday 2015-08-17, 1700-1800
+* The meeting is Monday 2015-08-17, 1700-1800 CET
* Video streaming should be [available](https://wiki.debconf.org/wiki/DebConf15/Videostream/Amsterdam)
+* We will probably use
+ [gobby](https://packages.debian.org/jessie/gobby) for collaborative
+ editing. Unfortunately the infinote backend for emacs-rudel seems
+ not work. After installing gobby (>= 5.0), run
+
+ % gobby infinote://gobby.debian.org/debconf15/bof/notmuch-privacy-and-security
+
Agenda
======
* GnuPG (C)
* Emacs UI (emacs lisp)
* notmuch-emacs
- * mml-mode
+ * mml-mode, mm multimedia rendering library
* Alot / nmbug / nmbug-status (python)
* python-bindings
* webmail:
* noservice (Clojure)
* notmuch web (Haskell)
-Security concerns
------------------
-* wrong key selection during composition
-* reply (message mode defaults)
-* inline PGP
+Security and privacy concerns
+-----------------------------
* message-id collisions
-* webmail authentication/authorization (muliple users?)
-* webmail message escaping (XSS, etc)
+* rendering "rich" messages
+ * network access in front ends
+ * safe rendering of HTML
+* rendering security information
+ * spoofing signatures
+ * partially signed messages
+* Oops I just sent...
+ * wrong key selection during composition
+ * reply (message mode defaults)
+ * opportunistic signing and encryption
+ * using markup for security
+* inline PGP
+* webmail
+ * authentication/authorization (multiple users?)
+ * message escaping (XSS, etc)
* shell injection
* terminal escape sequences
* S/MIME support
-
-### usability as security?
-
-* indexing encrypted mail
+ * signatures
+ * encryption
+ * integration with other keyrings
+* reproducible builds:
+ [sphinx man pages](https://reproducible.debian.net/rb-pkg/testing/amd64/notmuch.html)
+* decryption happens in the CLI rather than the UI
+ * when using the UI and the CLI on different machines (so called "remote" mode), this leads to some undesirable and odd behaviour:
+ * decrypted content is passed across a potentially insecure channel (though usually ssh)
+ * the CLI needs access to keys, which can be awkward or impossible
+
+Usability as security?
+----------------------
+
+* Indexing encrypted mail
+ * incremental re-indexing?
* Memory Hole protected headers
-* key selection indicators during compositoin
-
+* Key selection indicators during composition
Breakout sessions
-----------------
-----------
-
--------------------------
-
-proposed session:
----------
-One of (at least my) primary motivations for working on Notmuch is reducing my dependence on cloud services, and supporting the secure sending and receiving of signed and encrypted mail. Like any realworld piece of software, notmuch is far from perfect, and several areas related to privacy and security could clearly be improved. During this BoF we'd like to plan out some topics to work on in followup hacking sessions. Anyone is welcome, even if they don't feel like hacking on notmuch. Potential topics of discussion andhacking include:
- * S/MIME signatures and encryption
- * Improving the security of the Emacs MML mime composer
- * Searching of GPG encrypted mail
- * Auditing and fixing "webbug" style problems in front ends
- * Making notmuch build reproducibly
-
----------
-
-more complete agenda:
-
- * S/MIME signatures and encryption
- * test suites
- * integration with other keyrings
- * signature only (easyish) versus encryption (more work)
- * Improving the security of the Emacs MML mime composer
- * automated "encrypt-when-i-have-keys-available" mode or other convenience functions?
- * can an adversary force signatures based on quoted text?
- * generate memory-hole-style messages
- * Searching of GPG encrypted mail
- * possible implementation mechanism: "notmuch reindex --with-filter=decrypt"
- * Auditing and fixing "webbug" style problems in front ends
- * can we instruct emacs to restrict all network access from notmuch?
- * what other frontends might call out to the network?
- * Making notmuch build reproducibly
- * https://reproducible.debian.net/rb-pkg/unstable/amd64/notmuch.html
- * Protect against spoofed signature verification?
- * how do we deal with multipart messages where only a subtree is signed?
- * are other sorts of spoofing possible?
- * read and display memory-hole-style messages
- * "safe" ways to display html parts (e.g. without text/plain alternatives)
-
-
projects / notmuch-wiki / blobdiff