From b1b95d93db8c1a0cf4dcaa848177cc3255d5aaf9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Sch=C3=BCrmann?= Date: Sun, 10 Jul 2016 13:26:45 +0200 Subject: [PATCH] Updated Keyserver less OpenPGP (markdown) --- Keyserver-less-OpenPGP.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/Keyserver-less-OpenPGP.md b/Keyserver-less-OpenPGP.md index bb28a85..19ae345 100644 --- a/Keyserver-less-OpenPGP.md +++ b/Keyserver-less-OpenPGP.md @@ -1,12 +1,24 @@ -Opportunistic Key Exchange - -This does not discuss trust, only key discovery! +Warning: This does not discuss trust, only key discovery! +# Opportunistic Key Exchange * A: Send normal email with header ``OpenPGP: preference=signencrypt`` * B: Receiver's normal response email is signed and contains the key as attachment * A: Email is received, key is automatically imported and signature verified. Check that key corresponds to sig? * A: 3rd email is encrypted+signed in this exchange +# Full Text +We propose to enable the OpenPGP header by default for all outgoing emails to announce to recipients that you are capable of receiving OpenPGP protected emails. + +The default header should look like this: ``OpenPGP: preference=signencrypt`` + +Always announcing that a sender is capable of receiving OpenPGP protected emails signals to the receiver to -- for the next email to this sender -- attach his/her public key and sign it. + +In K-9 Mail on Android we plan to import these attached keys automatically to opportunistically protect emails with OpenPGP. + +We propose this additional roundtrip with the header instead of always signing and attaching keys directly, because users which don't use OpenPGP are annoyed by weird attachments like signature.asc or 0x12345678.asc. + +We are not proposing to include a Key ID or URL in the header by default for all emails as this would leak additional data. Including a Key ID would leak information about the key if it's available on keyservers, including the URL does not allow to import something automatically as this introduced a synchronous connection to a webserver, which could be exploited for tracking users for example. + [The "OpenPGP" mail and news header field](https://tools.ietf.org/html/draft-josefsson-openpgp-mailnews-header-07) Tracking in email client bug trackers: