GNU bug report logs - #17391
Bug#745553: emacs24-el: mml2015-always-trust should default to nil, not t

Message received at 17391 <at> debbugs.gnu.org:

Received: (at 17391) by debbugs.gnu.org; 27 Jan 2017 06:45:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 27 01:45:40 2017
Received: from localhost ([127.0.0.1]:46875 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cX0Hz-0002B8-Rr
	for submit <at> debbugs.gnu.org; Fri, 27 Jan 2017 01:45:40 -0500
Received: from mx2.heinlein-support.de ([91.198.250.20]:54025)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jens.lechtenboerger@HIDDEN>)
 id 1cX0Hx-0002Ap-E2; Fri, 27 Jan 2017 01:45:37 -0500
Received: from mx1.mailbox.org (mx1.mailbox.org [80.241.60.212])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx2.heinlein-support.de (Postfix) with ESMTPS id 1F32F30229;
 Fri, 27 Jan 2017 07:45:31 +0100 (CET)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.mailbox.org (Postfix) with ESMTPS id AC46D44D4A;
 Fri, 27 Jan 2017 07:45:30 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240])
 by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172])
 (amavisd-new, port 10030)
 with ESMTP id Hy894ZzLq_wj; Fri, 27 Jan 2017 07:45:28 +0100 (CET)
From: Jens Lechtenboerger <jens.lechtenboerger@HIDDEN>
To: Daniel Kahn Gillmor <dkg@HIDDEN>
Subject: Re: bug#17391: Bug#745553: emacs24-el: mml2015-always-trust should
 default to nil, not t
References: <20140422190613.18043.21415.reportbug@HIDDEN>
 <877g6eilsp.fsf@HIDDEN>
 <53640041.7070703@HIDDEN> <87k29jvyzc.fsf@HIDDEN>
 <87a8aehpf8.fsf@HIDDEN>
 <87a8aenaqe.fsf@HIDDEN>
 <87a8add5ye.fsf@HIDDEN>
 <87k29h2z4h.fsf@HIDDEN>
OpenPGP: id=0xA142FD84;
 url=https://www.informationelle-selbstbestimmung-im-internet.de/A142FD84.asc
Date: Fri, 27 Jan 2017 07:45:23 +0100
In-Reply-To: <87k29h2z4h.fsf@HIDDEN> (Daniel Kahn Gillmor's
 message of "Thu, 26 Jan 2017 18:13:50 -0500")
Message-ID: <87inp1ypa4.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 17391
Cc: 745553@HIDDEN, 17338 <at> debbugs.gnu.org,
 Justus Winter <justus@HIDDEN>, 745553-forwarded@HIDDEN,
 Lars Ingebrigtsen <larsi@HIDDEN>, Daiki Ueno <ueno@HIDDEN>,
 17391 <at> debbugs.gnu.org, rlb@HIDDEN,
 "Neal H. Walfield" <neal@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

On 2017-01-26, at 18:13, Daniel Kahn Gillmor wrote:

> On Thu 2017-01-26 13:36:09 -0500, Jens Lechtenboerger wrote:

>> That=E2=80=99s customized in mml-secure-key-preferences.  So, the usual
>> customize interface is available.  And there is some code to detect
>> and remove unusable customizations.
>
> When was this introduced?  i don't see it, but then i'm still using
> emacs24.  Do i need to upgrade?

I introduced that about a year ago, when Gnus was still developed in
its own repository.  I don=E2=80=99t know anything about Gnus releases since
then.

The doc string reports those changes as of version 25.1 of Emacs.

Best wishes
Jens

Message received at 17391 <at> debbugs.gnu.org:

Received: (at 17391) by debbugs.gnu.org; 27 Jan 2017 02:50:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 26 21:50:20 2017
Received: from localhost ([127.0.0.1]:46831 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cWwcG-00053L-DO
	for submit <at> debbugs.gnu.org; Thu, 26 Jan 2017 21:50:20 -0500
Received: from eggs.gnu.org ([208.118.235.92]:54310)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ueno@HIDDEN>) id 1cWwcE-000539-7y
 for 17391 <at> debbugs.gnu.org; Thu, 26 Jan 2017 21:50:18 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ueno@HIDDEN>) id 1cWwc6-0000fe-1o
 for 17391 <at> debbugs.gnu.org; Thu, 26 Jan 2017 21:50:13 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:56828)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ueno@HIDDEN>)
 id 1cWwbJ-0000Gp-DJ; Thu, 26 Jan 2017 21:49:21 -0500
Received: from du-a.org ([219.94.251.20]:49682 helo=localhost.localdomain)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ueno@HIDDEN>)
 id 1cWwbH-00078s-U5; Thu, 26 Jan 2017 21:49:20 -0500
Message-ID: <87mvedxlnk.fsf-ueno@HIDDEN>
From: Daiki Ueno <ueno@HIDDEN>
To: Daniel Kahn Gillmor <dkg@HIDDEN>
Subject: Re: bug#17391: Bug#745553: emacs24-el: mml2015-always-trust should
 default to nil, not t
References: <20140422190613.18043.21415.reportbug@HIDDEN>
 <877g6eilsp.fsf@HIDDEN>
 <53640041.7070703@HIDDEN> <87k29jvyzc.fsf@HIDDEN>
 <87a8aehpf8.fsf@HIDDEN>
 <87a8aenaqe.fsf@HIDDEN>
 <87a8add5ye.fsf@HIDDEN>
 <871svpobsx.fsf-ueno@HIDDEN> <87fuk52yyk.fsf@HIDDEN>
Date: Fri, 27 Jan 2017 03:49:03 +0100
In-Reply-To: <87fuk52yyk.fsf@HIDDEN> (Daniel Kahn Gillmor's
 message of "Thu, 26 Jan 2017 18:17:23 -0500")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -8.2 (--------)
X-Debbugs-Envelope-To: 17391
Cc: 745553@HIDDEN, 17338 <at> debbugs.gnu.org,
 Justus Winter <justus@HIDDEN>, 17391 <at> debbugs.gnu.org,
 745553-forwarded@HIDDEN, Lars Ingebrigtsen <larsi@HIDDEN>,
 Jens Lechtenboerger <jens.lechtenboerger@HIDDEN>, rlb@HIDDEN,
 "Neal H. Walfield" <neal@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -8.2 (--------)

Daniel Kahn Gillmor <dkg@HIDDEN> writes:

> On Thu 2017-01-26 14:34:22 -0500, Daiki Ueno wrote:
>> Jens Lechtenboerger <jens.lechtenboerger@HIDDEN> writes:
>>> The mml code is based on EasyPG by Daiki Ueno (cc=E2=80=99ed).  EasyPG =
makes
>>> use of sub-keys and their IDs for encryption commands, instead of
>>> relying on GnuPG=E2=80=99s selections.
>>
>> It was suggested by Werner to do key selection in Emacs, like GPGME.  I
>> don't know whether GPGME changed the logic though.
>
> I don't know what this means -- i don't think that GPGME itself does key
> selection.  Can you tell me more?

My wording might be confusing; let me rephase: I don't think GPGME has a
means of using GnuPG's selections, which the applications can rely on.

EasyPG is modelled after GPGME, and Gnus is an application using it,
thus it is a responsiblity of Gnus to select usable keys by itself.

> Presumably users who use emacs with gpg also use gpg with other tools
> (possibly even other MUAs), or even gpg on its own. Collecting key
> preference data in multiple places while sharing the underlying key
> store seems like a recipe for synchronization problems and confusing
> behavior, particularly for folks who don't know how the tools fit
> together.

If there is the means to do that in GPGME now, yes, it would be nice for
EasyPG to provide a similar mechanism which can be used from Gnus.
Otherwise, IMO, neither EasyPG nor Gnus should try to do the selection
by calling gpg directly, even if it could be useful.

Regards,
--=20
Daiki Ueno

Message received at 17391 <at> debbugs.gnu.org:

Received: (at 17391) by debbugs.gnu.org; 26 Jan 2017 23:19:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 26 18:19:37 2017
Received: from localhost ([127.0.0.1]:46621 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cWtKL-00052e-G4
	for submit <at> debbugs.gnu.org; Thu, 26 Jan 2017 18:19:37 -0500
Received: from che.mayfirst.org ([162.247.75.118]:52770)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dkg@HIDDEN>)
 id 1cWtKF-00051X-8T; Thu, 26 Jan 2017 18:19:31 -0500
Received: from fifthhorseman.net (unknown [38.109.115.130])
 by che.mayfirst.org (Postfix) with ESMTPSA id A0CE7F98C;
 Thu, 26 Jan 2017 18:19:29 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000)
 id 5BF8620407; Thu, 26 Jan 2017 18:13:50 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@HIDDEN>
To: Jens Lechtenboerger <jens.lechtenboerger@HIDDEN>
Subject: Re: bug#17391: Bug#745553: emacs24-el: mml2015-always-trust should
 default to nil, not t
In-Reply-To: <87a8add5ye.fsf@HIDDEN>
References: <20140422190613.18043.21415.reportbug@HIDDEN>
 <877g6eilsp.fsf@HIDDEN>
 <53640041.7070703@HIDDEN> <87k29jvyzc.fsf@HIDDEN>
 <87a8aehpf8.fsf@HIDDEN>
 <87a8aenaqe.fsf@HIDDEN>
 <87a8add5ye.fsf@HIDDEN>
Date: Thu, 26 Jan 2017 18:13:50 -0500
Message-ID: <87k29h2z4h.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 17391
Cc: 745553@HIDDEN, 17338 <at> debbugs.gnu.org,
 Justus Winter <justus@HIDDEN>, 745553-forwarded@HIDDEN,
 Lars Ingebrigtsen <larsi@HIDDEN>, Daiki Ueno <ueno@HIDDEN>,
 17391 <at> debbugs.gnu.org, rlb@HIDDEN,
 "Neal H. Walfield" <neal@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

On Thu 2017-01-26 13:36:09 -0500, Jens Lechtenboerger wrote:
> On 2017-01-25, at 15:30, Daniel Kahn Gillmor wrote:
>> On Wed 2017-01-25 15:09:47 -0500, Jens Lechtenboerger wrote:
>>> mml2015-always-trust is replaced by mml-secure-openpgp-always-trust
>>> nowadays.  I certainly wouldn’t object if the default value was
>>> changed, but lots of long-term users might be surprised.
>>
>> It's also possible that lots of long-term users might be surprised to
>> find that refreshing one key in their keyring is likely to cause a
>> change in behavior for the use of other keys in their keyring.  this is
>> a silent surprise, which seems worse than a public surprise.
>
> Sorry, I don’t understand this.  What change in one key is causing
> silent changes for other keys?

Without the notification that multiple keys are available, Bob can add
Carol's User ID to his cert ; depending on where the certs are
positioned linearly in Alice's keyring, mail to Carol might be encrypted
to Bob's key, or to Alice's key.

I think this is mitigated at least in part by prompting the user when
there are multiple keys available, though.

> That’s customized in mml-secure-key-preferences.  So, the usual
> customize interface is available.  And there is some code to detect
> and remove unusable customizations.

When was this introduced?  i don't see it, but then i'm still using
emacs24.  Do i need to upgrade?

>> Modern versions of GnuPG also provide a "tofu" mechanism to store and
>> track that kind of decision in.  Neal Walfield (also cc'ed here) put in
>> a lot of that implementation, so he might have some suggestions for the
>> best way to handle it.
>
> If Emacs was relying on GnuPG’s decisions, nothing special would be
> necessary for tofu, right?  (Users could activate that in their
> gpg.conf.)

Neal can answer this better than i can.  I think the TOFU mode works
best when there's a bit of UI integration -- emacs would provide the way
for the user to answer a question prompted by gpg, and then gpg is
responsible for storing/tracking all the info.

            --dkg

Message received at 17391 <at> debbugs.gnu.org:

Received: (at 17391) by debbugs.gnu.org; 26 Jan 2017 23:19:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 26 18:19:37 2017
Received: from localhost ([127.0.0.1]:46619 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cWtKL-00052R-3V
	for submit <at> debbugs.gnu.org; Thu, 26 Jan 2017 18:19:37 -0500
Received: from che.mayfirst.org ([162.247.75.118]:52764)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dkg@HIDDEN>)
 id 1cWtKF-00051W-6S; Thu, 26 Jan 2017 18:19:31 -0500
Received: from fifthhorseman.net (unknown [38.109.115.130])
 by che.mayfirst.org (Postfix) with ESMTPSA id B2EA9F997;
 Thu, 26 Jan 2017 18:19:29 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000)
 id 328B3206C3; Thu, 26 Jan 2017 18:17:27 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@HIDDEN>
To: Daiki Ueno <ueno@HIDDEN>,
 Jens Lechtenboerger <jens.lechtenboerger@HIDDEN>
Subject: Re: bug#17391: Bug#745553: emacs24-el: mml2015-always-trust should
 default to nil, not t
In-Reply-To: <871svpobsx.fsf-ueno@HIDDEN>
References: <20140422190613.18043.21415.reportbug@HIDDEN>
 <877g6eilsp.fsf@HIDDEN>
 <53640041.7070703@HIDDEN> <87k29jvyzc.fsf@HIDDEN>
 <87a8aehpf8.fsf@HIDDEN>
 <87a8aenaqe.fsf@HIDDEN>
 <87a8add5ye.fsf@HIDDEN>
 <871svpobsx.fsf-ueno@HIDDEN>
Date: Thu, 26 Jan 2017 18:17:23 -0500
Message-ID: <87fuk52yyk.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 17391
Cc: 745553@HIDDEN, 17338 <at> debbugs.gnu.org,
 Justus Winter <justus@HIDDEN>, 745553-forwarded@HIDDEN,
 Lars Ingebrigtsen <larsi@HIDDEN>, 17391 <at> debbugs.gnu.org,
 rlb@HIDDEN, "Neal H. Walfield" <neal@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On Thu 2017-01-26 14:34:22 -0500, Daiki Ueno wrote:
> Jens Lechtenboerger <jens.lechtenboerger@HIDDEN> writes:
>> The mml code is based on EasyPG by Daiki Ueno (cc=E2=80=99ed).  EasyPG m=
akes
>> use of sub-keys and their IDs for encryption commands, instead of
>> relying on GnuPG=E2=80=99s selections.
>
> It was suggested by Werner to do key selection in Emacs, like GPGME.  I
> don't know whether GPGME changed the logic though.

I don't know what this means -- i don't think that GPGME itself does key
selection.  Can you tell me more?

Presumably users who use emacs with gpg also use gpg with other tools
(possibly even other MUAs), or even gpg on its own.  Collecting key
preference data in multiple places while sharing the underlying key
store seems like a recipe for synchronization problems and confusing
behavior, particularly for folks who don't know how the tools fit
together.


>>> Modern versions of GnuPG also provide a "tofu" mechanism to store and
>>> track that kind of decision in.  Neal Walfield (also cc'ed here) put in
>>> a lot of that implementation, so he might have some suggestions for the
>>> best way to handle it.
>
> I'm afraid I wouldn't do any work toward tofu at this level of quality;
> in particular, until they reach the consensus whether tofu is only
> activated when encryption is triggered by an email address.

I don't think i understand this either.  Can you explain more about what
you need from the GnuPG TOFU code?

Thanks for this discussion, hopefully it'll lead somewhere fruitful.

       --dkg

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOCdgUepHf6PklTkyFJitxsGSMjcFAliKg4MACgkQFJitxsGS
MjenIA/9E4JhobUEa/zjMo0QsruwEqG2SKJ1NeYHLOwR+Ba/gnw/t61EIxgD9dU3
ydQDoHXr6eFXeDJk5VIsG9+RGwXaiBkjzk5z2Yfi3QRHLCpDEU6+kz+TYlRYZwQ5
OQuO3azwO5wFIeSqJuW0MiiUOUaD/cEt6FiWsWve4dLxaltmQBYO1kGadXwHuC9R
E9/3KAlqh5bL8yeA7R7BhFE1XhRHtnZF9EVK8isx4CCb9CL6pP9j8h8jaMdSM9q+
zfB/0EXrFkaN69WI2I0KeJS55eYZ/rTq9s3gzmlOf6cLtK85mswkUxqCWXHnKY/x
JXnEG3fhlvtRpf+dgt4iFy3OFQg67QqeJM9BUjefob5v8LZzc8hnRI589e94syFO
PerqWpMIKoEMdU9rSi/FryoD7MlgziTNWeAmwBnwF7LWxIeI58CQvUxUynASBMVz
YSgB7C2i69jql5JCZQhW82H3dL98YJfzvn+fJSz8k6tfk1ep26gD2n4k7V0hDZRK
zqLFhaXe3JK43XWg18EP6aFeOsPJ98k7tdXoBTHImq4UMbsIRY14MzmDS5EFr3RQ
i6exJ0nUz4vs6zpcd7un4EVzMpmQomhAF6kSuh6fh3KBzrquJ+ZUdzTwhHFFRjBE
R+H6jcPVOfEXDMG6Nhuk6pgjLVSetaR5egHg2A2tgFPeHxeTwbI=
=/aiu
-----END PGP SIGNATURE-----
--=-=-=--

Message received at 17391 <at> debbugs.gnu.org:

Received: (at 17391) by debbugs.gnu.org; 26 Jan 2017 23:19:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 26 18:19:37 2017
Received: from localhost ([127.0.0.1]:46617 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cWtKK-00052N-Ra
	for submit <at> debbugs.gnu.org; Thu, 26 Jan 2017 18:19:37 -0500
Received: from che.mayfirst.org ([162.247.75.118]:52756)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dkg@HIDDEN>)
 id 1cWtKF-00051V-38; Thu, 26 Jan 2017 18:19:31 -0500
Received: from fifthhorseman.net (unknown [38.109.115.130])
 by che.mayfirst.org (Postfix) with ESMTPSA id AB032F993;
 Thu, 26 Jan 2017 18:19:29 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000)
 id 762F22072D; Thu, 26 Jan 2017 18:19:24 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@HIDDEN>
To: Jens Lechtenboerger <jens.lechtenboerger@HIDDEN>,
 Lars Ingebrigtsen <larsi@HIDDEN>
Subject: Re: bug#17391: Bug#745553: emacs24-el: mml2015-always-trust should
 default to nil, not t
In-Reply-To: <87a8aehpf8.fsf@HIDDEN>
References: <20140422190613.18043.21415.reportbug@HIDDEN>
 <877g6eilsp.fsf@HIDDEN>
 <53640041.7070703@HIDDEN> <87k29jvyzc.fsf@HIDDEN>
 <87a8aehpf8.fsf@HIDDEN>
Date: Thu, 26 Jan 2017 18:19:20 -0500
Message-ID: <87d1f92yvb.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 17391
Cc: 745553-forwarded@HIDDEN, 17391 <at> debbugs.gnu.org,
 745553@HIDDEN, 17338 <at> debbugs.gnu.org, rlb@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On Wed 2017-01-25 15:09:47 -0500, Jens Lechtenboerger wrote:
> mml2015-always-trust is replaced by mml-secure-openpgp-always-trust
> nowadays.  I certainly wouldn=E2=80=99t object if the default value was
> changed, but lots of long-term users might be surprised.

hm, i just noticed that mml-secure-openpgp-always-trust isn't in emacs24
either.  is this also limited to emacs25?  Maybe this change of variable
is a good chance to do the transition to a better default.

         --dkg

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOCdgUepHf6PklTkyFJitxsGSMjcFAliKg/kACgkQFJitxsGS
MjckRRAAzNaL1N+8WJqcVoQ8rjb03ITgWScWcP4qeMlVMRC6AZj5tPSTL52iDOQI
yTAG17ydHxg/85vARrhOB7WTHATasJqJh84zgL9CfRUpUtD65GRzjlxLop1ntdLz
Rc4M/Y08TODpgYp+IGRpWlrhH/2PLSQ+DGy4K7CpBWFx7FvoK/FY2IhD4IB/crMx
j/1zgpd/s3cQlgZnhXRSgiedcges/pbuL75h22dIzVSihJNEMpMJBEojGhhzcvD/
ELpjqfVtxK9HL6EzWJMqJ3vFRET0a1DLQy0O/2NkkzqFGI/zs/IHqTiu4J9mq85F
zD8yLWoREJVbDcRGMk+gb6CFkYEAEJOMUUXC2CrLsPGKP3w/d711/F+KK9i1iwJW
zEvq4OuCgNsebAyUoMm0mTcQI0GnB8ABIymYjtty5t2Eqrbn7TnTpclojHX1/mgl
GKZTD1JBm9BBEaufe0EA6df60hJOd7pVrqCjb0jLFUqhwEuH7GNSNdszlUiSZXaf
h040cW4oNrGsiUsqhZ7bQ3k2j+vGT1xGXhsYJbc8Who7T08gEAgnEaQLuiIPGxLI
spQaZLi4t94koIFmDGsw4NpDf00/34CenFIOWoohyejUgawVvgD3bJhZYr2fZKXd
0YM+uhBoqOCm6Yfyd5/hbAPlLUV/5PBOkf1ve7jaZY247IF1P78=
=L9hJ
-----END PGP SIGNATURE-----
--=-=-=--

Message received at 17391 <at> debbugs.gnu.org:

Received: (at 17391) by debbugs.gnu.org; 26 Jan 2017 19:35:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 26 14:35:51 2017
Received: from localhost ([127.0.0.1]:46042 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cWppn-0005tv-Dr
	for submit <at> debbugs.gnu.org; Thu, 26 Jan 2017 14:35:51 -0500
Received: from eggs.gnu.org ([208.118.235.92]:54633)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ueno@HIDDEN>) id 1cWppl-0005tg-7m
 for 17391 <at> debbugs.gnu.org; Thu, 26 Jan 2017 14:35:49 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ueno@HIDDEN>) id 1cWppc-00080m-S3
 for 17391 <at> debbugs.gnu.org; Thu, 26 Jan 2017 14:35:44 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:52600)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ueno@HIDDEN>)
 id 1cWpog-0007lP-Ky; Thu, 26 Jan 2017 14:34:42 -0500
Received: from du-a.org ([219.94.251.20]:49652 helo=localhost.localdomain)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ueno@HIDDEN>)
 id 1cWpof-0001rC-8k; Thu, 26 Jan 2017 14:34:41 -0500
Message-ID: <871svpobsx.fsf-ueno@HIDDEN>
From: Daiki Ueno <ueno@HIDDEN>
To: Jens Lechtenboerger <jens.lechtenboerger@HIDDEN>
Subject: Re: bug#17391: Bug#745553: emacs24-el: mml2015-always-trust should
 default to nil, not t
References: <20140422190613.18043.21415.reportbug@HIDDEN>
 <877g6eilsp.fsf@HIDDEN>
 <53640041.7070703@HIDDEN> <87k29jvyzc.fsf@HIDDEN>
 <87a8aehpf8.fsf@HIDDEN>
 <87a8aenaqe.fsf@HIDDEN>
 <87a8add5ye.fsf@HIDDEN>
Date: Thu, 26 Jan 2017 20:34:22 +0100
In-Reply-To: <87a8add5ye.fsf@HIDDEN>
 (Jens Lechtenboerger's message of "Thu, 26 Jan 2017 19:36:09 +0100")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -8.2 (--------)
X-Debbugs-Envelope-To: 17391
Cc: 745553@HIDDEN, 17338 <at> debbugs.gnu.org,
 Justus Winter <justus@HIDDEN>,
 Daniel Kahn Gillmor <dkg@HIDDEN>, 745553-forwarded@HIDDEN,
 Lars Ingebrigtsen <larsi@HIDDEN>, 17391 <at> debbugs.gnu.org,
 rlb@HIDDEN, "Neal H. Walfield" <neal@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -8.2 (--------)

Jens Lechtenboerger <jens.lechtenboerger@HIDDEN> writes:

>> Modern versions of GnuPG automatically select the key which GnuPG knows
>> to have the best validity among all matches for the selector, thanks to
>> work put in by Justus Winter (cc'ed), so letting GnuPG make the decision
>> would relieve emacs of most of the hard work here, and would also mean
>> that any changes that the user makes to their GnuPG keyring would
>> automatically take effect in emacs without mml-mode needing to do
>> anything.
>
> The mml code is based on EasyPG by Daiki Ueno (cc=E2=80=99ed).  EasyPG ma=
kes
> use of sub-keys and their IDs for encryption commands, instead of
> relying on GnuPG=E2=80=99s selections.

It was suggested by Werner to do key selection in Emacs, like GPGME.  I
don't know whether GPGME changed the logic though.

>> Modern versions of GnuPG also provide a "tofu" mechanism to store and
>> track that kind of decision in.  Neal Walfield (also cc'ed here) put in
>> a lot of that implementation, so he might have some suggestions for the
>> best way to handle it.

I'm afraid I wouldn't do any work toward tofu at this level of quality;
in particular, until they reach the consensus whether tofu is only
activated when encryption is triggered by an email address.

Regards,
--=20
Daiki Ueno

Message received at 17391 <at> debbugs.gnu.org:

Received: (at 17391) by debbugs.gnu.org; 26 Jan 2017 18:36:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 26 13:36:24 2017
Received: from localhost ([127.0.0.1]:45932 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cWouG-00013J-JI
	for submit <at> debbugs.gnu.org; Thu, 26 Jan 2017 13:36:24 -0500
Received: from mx2.mailbox.org ([80.241.60.215]:59941)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jens.lechtenboerger@HIDDEN>)
 id 1cWouD-000130-Uc; Thu, 26 Jan 2017 13:36:22 -0500
Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx2.mailbox.org (Postfix) with ESMTPS id 46412457EB;
 Thu, 26 Jan 2017 19:36:15 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240])
 by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172])
 (amavisd-new, port 10030)
 with ESMTP id pV8jcKJTrEtv; Thu, 26 Jan 2017 19:36:12 +0100 (CET)
From: Jens Lechtenboerger <jens.lechtenboerger@HIDDEN>
To: Daniel Kahn Gillmor <dkg@HIDDEN>
Subject: Re: bug#17391: Bug#745553: emacs24-el: mml2015-always-trust should
 default to nil, not t
References: <20140422190613.18043.21415.reportbug@HIDDEN>
 <877g6eilsp.fsf@HIDDEN>
 <53640041.7070703@HIDDEN> <87k29jvyzc.fsf@HIDDEN>
 <87a8aehpf8.fsf@HIDDEN>
 <87a8aenaqe.fsf@HIDDEN>
OpenPGP: id=0xA142FD84;
 url=https://www.informationelle-selbstbestimmung-im-internet.de/A142FD84.asc
Date: Thu, 26 Jan 2017 19:36:09 +0100
In-Reply-To: <87a8aenaqe.fsf@HIDDEN> (Daniel Kahn Gillmor's
 message of "Wed, 25 Jan 2017 15:30:33 -0500")
Message-ID: <87a8add5ye.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 17391
Cc: 745553@HIDDEN, 17338 <at> debbugs.gnu.org,
 Justus Winter <justus@HIDDEN>, 745553-forwarded@HIDDEN,
 Lars Ingebrigtsen <larsi@HIDDEN>, Daiki Ueno <ueno@HIDDEN>,
 17391 <at> debbugs.gnu.org, rlb@HIDDEN,
 "Neal H. Walfield" <neal@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On 2017-01-25, at 15:30, Daniel Kahn Gillmor wrote:

> On Wed 2017-01-25 15:09:47 -0500, Jens Lechtenboerger wrote:

>> mml2015-always-trust is replaced by mml-secure-openpgp-always-trust
>> nowadays.  I certainly wouldn=E2=80=99t object if the default value was
>> changed, but lots of long-term users might be surprised.
>
> It's also possible that lots of long-term users might be surprised to
> find that refreshing one key in their keyring is likely to cause a
> change in behavior for the use of other keys in their keyring.  this is
> a silent surprise, which seems worse than a public surprise.

Sorry, I don=E2=80=99t understand this.  What change in one key is causing
silent changes for other keys?

>> Also, nowadays, if multiple keys are available for a recipient, the
>> user is asked which key to use and whether to store that choice.
>
> And how is that choice stored?  How and when can it be revisited by the
> user?  What happens if that choice becomes invalid in the future
> (e.g. the primary key, or the encryption-capable subkey is revoked,
> expired, etc)?

That=E2=80=99s customized in mml-secure-key-preferences.  So, the usual
customize interface is available.  And there is some code to detect
and remove unusable customizations.

>> Then, EasyPG is responsible for calling GnuPG.  Maybe something
>> needs to be adjusted there as well.  What is the expected command
>> line behavior?
>
> Modern versions of GnuPG automatically select the key which GnuPG knows
> to have the best validity among all matches for the selector, thanks to
> work put in by Justus Winter (cc'ed), so letting GnuPG make the decision
> would relieve emacs of most of the hard work here, and would also mean
> that any changes that the user makes to their GnuPG keyring would
> automatically take effect in emacs without mml-mode needing to do
> anything.

The mml code is based on EasyPG by Daiki Ueno (cc=E2=80=99ed).  EasyPG makes
use of sub-keys and their IDs for encryption commands, instead of
relying on GnuPG=E2=80=99s selections.

> Modern versions of GnuPG also provide a "tofu" mechanism to store and
> track that kind of decision in.  Neal Walfield (also cc'ed here) put in
> a lot of that implementation, so he might have some suggestions for the
> best way to handle it.

If Emacs was relying on GnuPG=E2=80=99s decisions, nothing special would be
necessary for tofu, right?  (Users could activate that in their
gpg.conf.)

Best wishes
Jens

Message received at 17391 <at> debbugs.gnu.org:

Received: (at 17391) by debbugs.gnu.org; 25 Jan 2017 20:30:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jan 25 15:30:45 2017
Received: from localhost ([127.0.0.1]:43552 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cWUDN-0005Kw-0I
	for submit <at> debbugs.gnu.org; Wed, 25 Jan 2017 15:30:45 -0500
Received: from che.mayfirst.org ([162.247.75.118]:51310)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dkg@HIDDEN>)
 id 1cWUDJ-0005GN-Bv; Wed, 25 Jan 2017 15:30:41 -0500
Received: from fifthhorseman.net (unknown [38.109.115.130])
 by che.mayfirst.org (Postfix) with ESMTPSA id 5B911F98C;
 Wed, 25 Jan 2017 15:30:40 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000)
 id CD57A201A6; Wed, 25 Jan 2017 15:30:36 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@HIDDEN>
To: Jens Lechtenboerger <jens.lechtenboerger@HIDDEN>,
 Lars Ingebrigtsen <larsi@HIDDEN>
Subject: Re: bug#17391: Bug#745553: emacs24-el: mml2015-always-trust should
 default to nil, not t
In-Reply-To: <87a8aehpf8.fsf@HIDDEN>
References: <20140422190613.18043.21415.reportbug@HIDDEN>
 <877g6eilsp.fsf@HIDDEN>
 <53640041.7070703@HIDDEN> <87k29jvyzc.fsf@HIDDEN>
 <87a8aehpf8.fsf@HIDDEN>
Date: Wed, 25 Jan 2017 15:30:33 -0500
Message-ID: <87a8aenaqe.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 17391
Cc: 745553@HIDDEN, 17338 <at> debbugs.gnu.org,
 Justus Winter <justus@HIDDEN>, 745553-forwarded@HIDDEN,
 17391 <at> debbugs.gnu.org, rlb@HIDDEN,
 "Neal H. Walfield" <neal@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On Wed 2017-01-25 15:09:47 -0500, Jens Lechtenboerger wrote:
> On 2017-01-25, at 18:19, Lars Ingebrigtsen wrote:
>
>> Daniel Kahn Gillmor <dkg@HIDDEN> writes:
>>
>>> So in the scenario above, Bob's cert is still overall valid (because it
>>> has a valid certification over the correct UserID+key from Alice), even
>>> though the carol@HIDDEN UserID is invalid.
>>>
>>> I don't know mml-mode or elisp well enough to dig into the code and fix
>>> this part of the problem quickly, but if someone has patches that i can
>>> look at that would point to where it might be changed, i'd be happy to
>>> try to review them.
>>
>> I'm also mostly unfamiliar with the mml encryption code, but perhaps
>> Jens could take a peek at this?
>
> mml2015-always-trust is replaced by mml-secure-openpgp-always-trust
> nowadays.  I certainly wouldn=E2=80=99t object if the default value was
> changed, but lots of long-term users might be surprised.

It's also possible that lots of long-term users might be surprised to
find that refreshing one key in their keyring is likely to cause a
change in behavior for the use of other keys in their keyring.  this is
a silent surprise, which seems worse than a public surprise.

> Also, nowadays, if multiple keys are available for a recipient, the
> user is asked which key to use and whether to store that choice.

And how is that choice stored?  How and when can it be revisited by the
user?  What happens if that choice becomes invalid in the future
(e.g. the primary key, or the encryption-capable subkey is revoked,
expired, etc)?

> Then, EasyPG is responsible for calling GnuPG.  Maybe something
> needs to be adjusted there as well.  What is the expected command
> line behavior?

Modern versions of GnuPG automatically select the key which GnuPG knows
to have the best validity among all matches for the selector, thanks to
work put in by Justus Winter (cc'ed), so letting GnuPG make the decision
would relieve emacs of most of the hard work here, and would also mean
that any changes that the user makes to their GnuPG keyring would
automatically take effect in emacs without mml-mode needing to do
anything.

Modern versions of GnuPG also provide a "tofu" mechanism to store and
track that kind of decision in.  Neal Walfield (also cc'ed here) put in
a lot of that implementation, so he might have some suggestions for the
best way to handle it.

Thanks for looking into this, Lars and Jens!

     --dkg


--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOCdgUepHf6PklTkyFJitxsGSMjcFAliJCukACgkQFJitxsGS
MjeHhRAAviRJHUEUusRrZqhqyxif3qFjuK0zrPn++CmKoJoq14iSBP8ovD32Idtu
ShPS6zULdkdZu/pLrhwLgnlqtiwGynlWxBOGBHacSIZSeBc6TYCprETd836quJ8b
81aXw2f/+L8GMRLYb9vYnJGGrEUHu2JR4uwYUk613fTKLh2frKEUj+QBV90SlMpH
hFTEKKeDlQYYCQjFEtLf+zqvHBAAeHR4EhqTrxzCjAH33hsND9ghcrWj+FD7mAyU
n5HzTtP3B1/QYOsdZzRY1QdfJAPPLEOLkA6A2o8PmgXc9te2vWPzUjC0psrNtszW
Su050vLQfFKrwk/q57CRyFJBuc66S/Wn6OKgx4acI4bHf8WbjAYgiI198ryfS+vj
N3ABMyCBkMEvz3r2XefLh8LL2T4rRbuo003kkMMaYT4I61bfmEqbesnU3EeCmifK
oL748vLg6Bs6kxh9cQ8PDMICXHunf1NaB2Pl3yS1A2IysoYjgpBKdHBR8t0orP6m
iIGfMR/nTl0PvsA9GlyXX+J8d6LaoAIBxeVUvcx8EhoaYtUSx+ChOiQtazb7K6pm
XzEbpDTCc6umjgRQ+Y0rLdx0Z33EBPeQRKn/zlU7KG+BkbGXYs062jb3HqWKWoOC
GxZHJZs34QM45T9b3MR4iAoUVFq7HikfU7XitF5sA3OHd8OKrzo=
=EixD
-----END PGP SIGNATURE-----
--=-=-=--

Message received at 17391 <at> debbugs.gnu.org:

Received: (at 17391) by debbugs.gnu.org; 25 Jan 2017 20:10:03 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jan 25 15:10:02 2017
Received: from localhost ([127.0.0.1]:43505 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cWTtK-0002TY-BE
	for submit <at> debbugs.gnu.org; Wed, 25 Jan 2017 15:10:02 -0500
Received: from mx1.mailbox.org ([80.241.60.212]:40673)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jens.lechtenboerger@HIDDEN>)
 id 1cWTtH-0002So-6c; Wed, 25 Jan 2017 15:09:59 -0500
Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.mailbox.org (Postfix) with ESMTPS id E3701455D0;
 Wed, 25 Jan 2017 21:09:52 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240])
 by spamfilter02.heinlein-hosting.de (spamfilter02.heinlein-hosting.de
 [80.241.56.116]) (amavisd-new, port 10030)
 with ESMTP id guHn9vZhKDWE; Wed, 25 Jan 2017 21:09:50 +0100 (CET)
From: Jens Lechtenboerger <jens.lechtenboerger@HIDDEN>
To: Lars Ingebrigtsen <larsi@HIDDEN>
Subject: Re: bug#17391: Bug#745553: emacs24-el: mml2015-always-trust should
 default to nil, not t
References: <20140422190613.18043.21415.reportbug@HIDDEN>
 <877g6eilsp.fsf@HIDDEN>
 <53640041.7070703@HIDDEN> <87k29jvyzc.fsf@HIDDEN>
OpenPGP: id=0xA142FD84;
 url=https://www.informationelle-selbstbestimmung-im-internet.de/A142FD84.asc
Date: Wed, 25 Jan 2017 21:09:47 +0100
In-Reply-To: <87k29jvyzc.fsf@HIDDEN> (Lars Ingebrigtsen's message of "Wed,
 25 Jan 2017 18:19:35 +0100")
Message-ID: <87a8aehpf8.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 17391
Cc: 745553@HIDDEN, 17338 <at> debbugs.gnu.org,
 Daniel Kahn Gillmor <dkg@HIDDEN>, 745553-forwarded@HIDDEN,
 17391 <at> debbugs.gnu.org, rlb@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On 2017-01-25, at 18:19, Lars Ingebrigtsen wrote:

> Daniel Kahn Gillmor <dkg@HIDDEN> writes:
>
>> So in the scenario above, Bob's cert is still overall valid (because it
>> has a valid certification over the correct UserID+key from Alice), even
>> though the carol@HIDDEN UserID is invalid.
>>
>> I don't know mml-mode or elisp well enough to dig into the code and fix
>> this part of the problem quickly, but if someone has patches that i can
>> look at that would point to where it might be changed, i'd be happy to
>> try to review them.
>
> I'm also mostly unfamiliar with the mml encryption code, but perhaps
> Jens could take a peek at this?

mml2015-always-trust is replaced by mml-secure-openpgp-always-trust
nowadays.  I certainly wouldn=E2=80=99t object if the default value was
changed, but lots of long-term users might be surprised.

Also, nowadays, if multiple keys are available for a recipient, the
user is asked which key to use and whether to store that choice.

Then, EasyPG is responsible for calling GnuPG.  Maybe something
needs to be adjusted there as well.  What is the expected command
line behavior?

Best wishes
Jens

Message received at 17391 <at> debbugs.gnu.org:

Received: (at 17391) by debbugs.gnu.org; 25 Jan 2017 17:22:14 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jan 25 12:22:14 2017
Received: from localhost ([127.0.0.1]:43140 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1cWRGw-0003Hl-BM
	for submit <at> debbugs.gnu.org; Wed, 25 Jan 2017 12:22:14 -0500
Received: from hermes.netfonds.no ([80.91.224.195]:41935)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>)
 id 1cWRGu-0003HS-77; Wed, 25 Jan 2017 12:22:12 -0500
Received: from 2.150.50.220.tmi.telenormobil.no ([2.150.50.220] helo=mouse)
 by hermes.netfonds.no with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <larsi@HIDDEN>)
 id 1cWRGo-0004io-DG; Wed, 25 Jan 2017 18:22:08 +0100
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Daniel Kahn Gillmor <dkg@HIDDEN>
Subject: Re: bug#17391: Bug#745553: emacs24-el: mml2015-always-trust should
 default to nil, not t
In-Reply-To: <53640041.7070703@HIDDEN> (Daniel Kahn Gillmor's
 message of "Fri, 02 May 2014 16:29:53 -0400")
Date: Wed, 25 Jan 2017 18:19:35 +0100
Message-ID: <87k29jvyzc.fsf@HIDDEN>
References: <20140422190613.18043.21415.reportbug@HIDDEN>
 <877g6eilsp.fsf@HIDDEN>
 <53640041.7070703@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 17391
Cc: 745553@HIDDEN, 17338 <at> debbugs.gnu.org,
 745553-forwarded@HIDDEN, 17391 <at> debbugs.gnu.org,
 Jens Lechtenboerger <jens.lechtenboerger@HIDDEN>, rlb@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

Daniel Kahn Gillmor <dkg@HIDDEN> writes:

> So in the scenario above, Bob's cert is still overall valid (because it
> has a valid certification over the correct UserID+key from Alice), even
> though the carol@HIDDEN UserID is invalid.
>
> I don't know mml-mode or elisp well enough to dig into the code and fix
> this part of the problem quickly, but if someone has patches that i can
> look at that would point to where it might be changed, i'd be happy to
> try to review them.

I'm also mostly unfamiliar with the mml encryption code, but perhaps
Jens could take a peek at this?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 2 May 2014 20:38:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri May 02 16:38:32 2014
Received: from localhost ([127.0.0.1]:48772 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1WgKE2-00016l-Jh
	for submit <at> debbugs.gnu.org; Fri, 02 May 2014 16:38:31 -0400
Received: from eggs.gnu.org ([208.118.235.92]:43658)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <dkg@HIDDEN>) id 1WgK6O-0000sB-Pp
 for submit <at> debbugs.gnu.org; Fri, 02 May 2014 16:30:37 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <dkg@HIDDEN>) id 1WgK6C-0000Lw-BQ
 for submit <at> debbugs.gnu.org; Fri, 02 May 2014 16:30:31 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:59057)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <dkg@HIDDEN>) id 1WgK6C-0000Ls-8w
 for submit <at> debbugs.gnu.org; Fri, 02 May 2014 16:30:24 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45317)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <dkg@HIDDEN>) id 1WgK65-0003f8-VM
 for bug-gnu-emacs@HIDDEN; Fri, 02 May 2014 16:30:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <dkg@HIDDEN>) id 1WgK5u-0000Ek-Dx
 for bug-gnu-emacs@HIDDEN; Fri, 02 May 2014 16:30:17 -0400
Received: from che.mayfirst.org ([209.234.253.108]:55881)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <dkg@HIDDEN>) id 1WgK5u-0000Ct-B7
 for bug-gnu-emacs@HIDDEN; Fri, 02 May 2014 16:30:06 -0400
Received: from [10.70.10.85] (unknown [38.109.115.130])
 by che.mayfirst.org (Postfix) with ESMTPSA id 1B901F984;
 Fri,  2 May 2014 16:30:02 -0400 (EDT)
Message-ID: <53640041.7070703@HIDDEN>
Date: Fri, 02 May 2014 16:29:53 -0400
From: Daniel Kahn Gillmor <dkg@HIDDEN>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:24.0) Gecko/20100101 Icedove/24.5.0
MIME-Version: 1.0
To: Rob Browning <rlb@HIDDEN>, bug-gnu-emacs@HIDDEN
Subject: Re: Bug#745553: emacs24-el: mml2015-always-trust should default to
 nil, not t
References: <20140422190613.18043.21415.reportbug@HIDDEN>
 <877g6eilsp.fsf@HIDDEN>
In-Reply-To: <877g6eilsp.fsf@HIDDEN>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="fVRvbCUcSkhXaUvdFQOrEMw5fgXd1xKj9"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
 (bad octet value).
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Fri, 02 May 2014 16:38:28 -0400
Cc: 745553@HIDDEN, 745553-forwarded@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fVRvbCUcSkhXaUvdFQOrEMw5fgXd1xKj9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 04/24/2014 03:12 PM, Rob Browning wrote:
> [If possible, please preserve the 745553-forwarded address in any repli=
es.]
>=20
> This bug was filed recently, and I suspect it might be something you'd
> like to discuss upstream.

thanks for forwarding this, Rob.

More notes below:

> Daniel Kahn Gillmor <dkg@HIDDEN> writes:
 [...]
>> Consider Alice, who has OpenPGP certificates for "Bob
>> <bob@HIDDEN>" and "Carol <carol@HIDDEN>" in her keyring (in
>> that order).  She has certified them both, so there is one valid
>> primary key for bob@HIDDEN and one valid primary key for
>> alice@HIDDEN
>>
>> Bob turns evil (or maybe his key is compromised) and he adds a new
>> User ID: "Bob <carol@HIDDEN>" to his OpenPGP cert.  He publishes
>> the update to the keyservers.
>>
>> Alice, following best practices, updates her keyring from the
>> keyservers regularly.
>>
>> Alice's keyring now has two certs that have a "carol@HIDDEN" user=

>> ID in them.  One of them is valid, and the other one is not.
>>
>> Alice now composes a message to "Carol <carol@HIDDEN>" and marks
>> it with:
>>
>>  <#secure method=3Dpgpmime mode=3Dsignencrypt>
>>
>> As the message goes out, mml-mode just passes the e-mail address
>> carol@HIDDEN to gpg to encrypt the message body, and gpg uses the=

>> e-mail address to select a key.  Since Bob's key is first in the
>> keyring, it is the one that will be used.

Turns out the situation is slightly worse than i described above.  While
i still think that mml2015-always-trust should default to nil (and this
defends against some failure modes), there are other problems with key
selection that aren't fixed yet.

In particular, the problematic scenario described above is *not* fixed
by changing the setting.  Observing the behavior, it looks like mml-mode
does OpenPGP certificate selection by e-mail address in the following
way (sorry i haven't dug into the code yet):

 0) it asks GnuPG for a cert associated with the given e-mail address

 1) it checks the *overall* validity of the cert in order to decide if
the cert is the right one

 2) if the cert is valid, it encrypts to it.

The problem with this is how gpg defines the overall validity of the
cert: in particular, it defines the validity of a cert as the *highest*
validity of any UserID associated with the cert.  It should instead be
looking at the validity of the desired User ID specifically, not the
overall cert.

So in the scenario above, Bob's cert is still overall valid (because it
has a valid certification over the correct UserID+key from Alice), even
though the carol@HIDDEN UserID is invalid.

I don't know mml-mode or elisp well enough to dig into the code and fix
this part of the problem quickly, but if someone has patches that i can
look at that would point to where it might be changed, i'd be happy to
try to review them.

	--dkg


--fVRvbCUcSkhXaUvdFQOrEMw5fgXd1xKj9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQJ8BAEBCgBmBQJTZABBXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB
NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpc2GsP/iUpY4nzueMgpa+AEPQxV+xL
0xw6QDkLt0E/vmTN6M2DIay3poEfEwLTqb66psAS4zns7ctfn2Uo7kurZLbYpKo1
zyKgy+LqWS+R7rofm+wKGC5jZgi3BqphQW53CbHrRvi+VECNAKEgDwBic4GyxRfv
TyWSJ0SMhOsdnj1cxZXnlOwOR4bOBc3B7UBhNQe1z82XD3pC2gaVbXaUNd1fslhB
XGuAdo7GiT3v9e7P/mJL1PRKz0DGNY3NHmEIV3RByDEPukfarPOnVb6GPHP5v7RC
R/dmqcpeYXWi3FCDh7lhOez8UzuBFl/JgBfX7DHxg16Ccp2BFaLo4FD0HEuB0nPe
mxX6Zw1Uri+w3aZqIZKlcBFk/q7NLzUe9f5yl0qgq1CqIDxg4m1beRRKUsNb1/1/
vYZYun9VH131VaMu+wtDzw2qH46f5Oemi1o/ZNG5GkTDdcJlu6/GdupaF8bemy4o
1aWxGwXl/i3OYRCt4HaHZrqET0GRLUVcsB+0u7ZYFD/pS5dI4/itnmVsXed6o5OD
SQMqLU7w24BmX6RkC3xOmqeuQKrBuKGhrAEO+rJl8dHPXHv1l7ApCZy4CSJJ4X1c
uhkcL6KQyZfByMiOWC7+yZwokNrWIEZM4n1N/zttGx3W0fzL7rJMvdHyo2XAYXIB
Ep1Luj+vaGxR8NLbg0h6
=LXAD
-----END PGP SIGNATURE-----

--fVRvbCUcSkhXaUvdFQOrEMw5fgXd1xKj9--