What, Where, When
=================

*  Bremner and dkg are co-hosting a BoF at [debconf](https://summit.debconf.org/debconf15/meeting/217/improving-privacy-and-security-for-notmuch-mail/).

* The meeting is Monday 2015-08-17, 1700-1800 CET

* Video streaming should be [available](https://wiki.debconf.org/wiki/DebConf15/Videostream/Amsterdam)

* We will probably use
  [gobby](https://packages.debian.org/jessie/gobby) for collaborative
  editing. Unfortunately the infinote backend for emacs-rudel seems
  not work. After installing gobby (>= 5.0), run

      % gobby infinote://gobby.debian.org/debconf15/bof/notmuch-privacy-and-security

* IRC: I suggest we use #notmuch on freenode for discussion, unless that proves problematic.

Agenda
======

Moving parts for secure e-mail
------------
* libxapian  (C++, full text search)
* libgmime (C, glib, RFC822+MIME library)
* libnotmuch (C and C++)
* /usr/bin/notmuch (C)
* GnuPG (C)
* Emacs UI (emacs lisp)
  * notmuch-emacs
  * mml-mode, mm multimedia rendering library
* Alot / nmbug / nmbug-status (python)
  * python-bindings
* webmail:
  * noservice (Clojure)
  * notmuch web (Haskell)

Security and privacy concerns
-----------------------------

* message-id collisions
* rendering "rich" messages
  * network access in front ends
  * safe rendering of HTML
* rendering security information
  * spoofing signatures
    Use Emacs' fringe to show what part of a message is signed
  * partially signed messages
    + have a look at how mutt renders signed msgs
    + IMHO how notmuch-emacs displays them is already quite good, you can clearly 
      see which parts are signed
* Oops I just sent...
  * wrong key selection during composition
  * reply (message mode defaults)
  * opportunistic signing and encryption
  * using markup for security
* inline PGP
  - should it support inline PGP at all
  workarounds:
  - switch to a terminal, use notmuch search, and then access
    the raw file directly with different tools
  - notmuch-emacs: epa-decrypt-region
* webmail
  * authentication/authorization (multiple users?)
  *  message escaping (XSS, etc)
* shell injection
  + like including shell commands into the Message-ID?
* terminal escape sequences
* S/MIME support
  * signatures
  * encryption
  * integration with other keyrings
* reproducible builds:
  [sphinx man pages](https://reproducible.debian.net/rb-pkg/testing/amd64/notmuch.html)
* decryption happens in the CLI rather than the UI
  * when using the UI and the CLI on different machines (so called "remote" mode), this leads to some undesirable and odd behaviour:
    * decrypted content is passed across a potentially insecure channel (though usually ssh)
    * the CLI needs access to keys, which can be awkward or impossible

Usability as security?
----------------------

* Indexing encrypted mail
  * incremental re-indexing?
  * There's been a bunch of research papers published ~10y ago about searching
    encrypted data; any practical or more recent outcome?
* Memory Hole protected headers
* Key selection indicators during composition

Breakout sessions
-----------------

* based on moving part

Reportbacks
-----------