Comment 12 for bug 303140

(In reply to comment #11)

Summary of this Comment:
The key long-term consideration in altering any message is maintaining the chain
of responsibility for the message's content. Users should understand that there
are consequences in altering a message. Peter's suggested warning dialog box
would work for me if it contained the option for users who remove attachments to
"sign" that action with their own digital signatures, thereby establishing
responsibility for the act of altering the message.

Detailed Comment:
I won't argue the case for the original bug (2920) here. I assume that all are
in agreement that the fix is valuable.

For me, this bug (288700) has been part of bug 2920 from the very start, because
the vast majority of the messages I receive are signed -- well, at least the
ones that I need to archive without attachments. Preserving the original
signature is not necessary as long as the person who removes the original
signature takes responsibility for having done so. The key issue is whether
there is someone who takes RESPONSIBILITY for any changes to the original
message, not whether there are any changes at all. At least, that's the
long-term consideration for my purposes.

Here's the criterion: My mail archives must constitute an accurate record of
what happened -- a record of who did what, and when they did it -- that a
historian can use 200 years from now to accurately reconstruct the progression
of today's events. The burden of proof as to authenticity is mine.

Yes...I understand all the arguments asserting that someone might break into my
machine and somehow falsify the record, but let's assume for the moment that
I've taken measures to make that virtually impossible. Let's assume that there's
no (known) way for anyone (including me) to falsify the record without being
detected (true). Let's assume that the situation is no more complicated than this:

• I want to remove attachments (which entails also removing the original
sender's signature)
• I want to certify that I have done so by signing that action with my own
identity-trusted signature
• My digital signature on that action is good enough to establish the chain of
responsibility for the message for archival purposes.

Clearly, the responsibility for altering the original message in any way must be
on the person who makes such alterations. If I absolutely need to have the
original message intact (say, for use in a legal case) I will simply leave it
intact -- end of story. But for any other purpose that I can imagine, it's
perfectly acceptable to alter the message as long as that action is...er,
"certified" by my digital signature. That puts me on the hook for having made
the alteration, and also for ensuring that the entire process is secure -- by
which I mean that I'm on the hook for proving that nobody else tampered with it.
I wouldn't have altered the message if I weren't prepared to accept
responsibility for it, but that's not relevant here.

Here's the relevant question: Have we designed the application in a way that
enables users to accept responsibility for their actions, and informs them that
they need to make that decision?

I believe that everyone has put enough thought into this bug to have addressed
all the issues that we can reasonably be expected to have addressed. From an
application design standpoint, our responsibility to do social engineering is
minimal. The best we can do is enable users to take responsibility for their
actions. Whether they choose to do so is up to them.

That's why the warning dialog is such a good idea. The user should understand
that there are consequences in altering the message. Peter's suggested warning
dialog box addresses most of the requirements that the mail application should
cover, except for "signing" the action as I've described above. In other words,
Peter's dialog would work for me if it contained the option for users who remove
the attachments to "sign" that action with their own digital signatures.