Least Privilege Mail Client, was Re: [E-Lang] defense in depth
Mon, 29 Jan 2001 12:26:24 -0700
Bill, you are right...but the part that leaves me boggled at the moment is
making this whole thing user friendly; making the user drag/drop a doc 5
times across 5 apps isn't quite good enough (and if we have an app that does
the drag/drops for us automatically, that piping app has a lot of power). In
particular, for user-friendliness the part that does the encrypting should
also be doing the addressing, since the address and the public key should
both be derived from a single specification of the recipient.
An interesting problem, to work on another day.
----- Original Message -----
From: Bill Frantz <email@example.com>
To: Marc Stiegler <firstname.lastname@example.org>; <email@example.com>;
Sent: Friday, January 26, 2001 6:24 PM
Subject: Least Privilege Mail Client, was Re: [E-Lang] defense in depth
> At 02:50 PM 1/25/01 -0700, Marc Stiegler wrote:
> >I talked about refactoring Web servers so that smaller components have
> >powers, and Web servers as an example seem pretty clean. But I don't
> >currently see how to refactor the components in a mail manager while
> >presenting a smooth user interface.
> Well, there is a bunch of stuff you still have to trust, but I think we
> break things up to gain some safety. Here is one approach:
> Mail reader: Uses POP/etc. to read mail and create a "Letter" object for
> each piece. (Can not read plaintext of encrypted mail.)
> Letter object: Encapsulates text of mail. Provides methods to access
> headers. Requires an unsealer to read text.
> Filter: Reads headers to sort mail into mailboxes. Passes Letter object a
> "no hole" factory for filtering on mail text. (Response from factory
> object is true, goes into the associated mail box, or false, continue
> Mailbox: A collection of Letter objects. Lets you do usual UI things like
> sorting, changing mailbox, and opening.
> Mail Viewer: Has Letter unsealer, and is used to view the text of mail.
> Used the Decrypter to decypher encrypted mail.
> Decrypter: Gets passphrase from user and decrypts encrypted mail for the
> Mail Viewer.
> Encrypter: Gets public key of recipients and encrypts mail for the
> Composer: Used to edit new mail. Has Letter unsealer for quoting. Uses
> Encrypter and Signer when requested by user.
> Signer: Reads passphrase from user. (User knows when mail is being
> signed.) Only available to composer.
> AddressBook: Can send to, cc, bcc etc. headers to Composer.
> Is this approach a reasonable start?