Mirrors
/
open-keychain
mirror of https://github.com/open-keychain/open-keychain.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated Keyserver less OpenPGP (markdown)

Dominik Schürmann 2017-01-04 13:58:42 +01:00
parent 27da915897
commit d7fa5f0d6e
1 changed files with 1 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Keyserver-less-OpenPGP.md

@ -1,31 +1 @@
Warning: This does not discuss trust, only key discovery!
# Opportunistic Key Discovery
* A: Send normal email with header ``OpenPGP: preference=signencrypt`` ([see Internet-Draft](https://tools.ietf.org/html/draft-josefsson-openpgp-mailnews-header-07))
* B: B parses header and now knows that A can do OpenPGP
* B: Next normal email is signed and contains the key as attachment
* A: A receives email, key is automatically imported and signature verified. Check that key corresponds to sig?
* A: 3rd email and all onward are encrypted+signed
# Full Description
We propose to enable the OpenPGP header by default for all outgoing emails to announce to recipients that you are capable of receiving OpenPGP protected emails.
The default header should look like this: ``OpenPGP: preference=signencrypt``
Always announcing that a sender is capable of receiving OpenPGP protected emails signals to the receiver to -- for the next email to this sender -- attach his/her public key and sign it.
In K-9 Mail on Android we plan to import these attached keys automatically to opportunistically protect emails with OpenPGP.
We propose this additional roundtrip with the header instead of always signing and attaching keys directly, because users which don't use OpenPGP are annoyed by weird attachments like signature.asc or 0x12345678.asc.
We are not proposing to include a Key ID or URL in the header by default for all emails as this would leak additional data. Including a Key ID would leak information about the key if it's available on keyservers, including the URL does not allow to import something automatically as this introduced a synchronous connection to a webserver, which could be exploited for tracking users for example.
[The "OpenPGP" mail and news header field](https://tools.ietf.org/html/draft-josefsson-openpgp-mailnews-header-07)
Tracking in email client bug trackers:
* [Enigmail](https://sourceforge.net/p/enigmail/bugs/627/)
* KMail
* gpg4o
* GPGOL
* GPGTools
* r2mail2
Superseded by https://github.com/autocrypt/autocrypt/