[messaging] TOFU to ease PGP key discovery

Mike Hearn mike at plan99.net
Mon Feb 9 09:57:16 PST 2015

> I don't think Whiteout's proposal is the same as CA offerings.
> Whiteout is proposing a key directory where you can lookup public
> keys.

My understanding is that keys fetched from their own key server, have had
their email address verified, thus Whiteout acts as a CA. From the blog

Up until now, Whiteout Mail had it’s own closed key server under
keys.whiteout.io. We basically did what Matthew Green proposed. We created
a centralized authority that would accept an uploaded public key only after
validating a user’s email address (proving ownership of the key).

The auto-key fetch from existing key servers is indeed different, I was
only referring to the current approach.

I think a few CAs issue S/MIME certs (for pay, though there seem to be
> free offerings for personal use); but CAs don't run lookup services
> that I'm aware of.

Occasionally they do (LDAP directories), but yes, there's no global list.
Still, I think that's not so bad. Key lookup directories have a couple of

   1. Lookups leak who you're talking to
   2. Initial emails being encrypted interferes with spam filters

The S/MIME default is, Alice sends a cleartext but signed mail to Bob. Bob
replies with a signed and encrypted message. Now the key exchange is
complete. The first mail from Alice to Bob has to be something good enough
to distinguish it from spam and get Bob's attention without actually
revealing anything sensitive, which is a whole kettle of usability fish by
itself, but the act of replying teaches the spam filter that Bob is legit
and attaching keys+certs to emails means there's no central metadata
collection point.

You're right that people can compare fingerprints (with either protocol).
If you go above and beyond what Whiteout does then it can be more secure
than just using Gmail. But you need to obtain the fingerprint/key from
somewhere out of band. If you're doing that, you don't need the key servers
or Whiteout CA anymore, and the features discussed in the blog post are

> But is it really true that S/MIME is "much more widely used in
> corporate deployments than PGP"?  Do you have numbers on that, or more
> info on who/where all this S/MIME adoption is?

That's a good question. I admit, I'm repeating something I have frequently
read, but I don't have data on it. I think S/MIME is not widely deployed by
any measure either, but it'd only take a handful of large deployments to
probably exceed the size of the PGP userbase.

For example the US DoD has a pretty large PKI setup with smartcards, etc.
The Estonian government is said to use S/MIME, they issue certificates to
all citizens and run a public LDAP server for key lookup. Of course, that
doesn't mean most people actually use it.

Here's a paper that repeats the assertion that S/MIME is more widely


Here's someone asking a question and referencing their PKI+S/MIME


Here's a CV mentioning a corporate S/MIME deployment for "BWI Group"


Here's a case study of S/MIME deployment at SEMCA, the "Southeast Michigan
Community Alliance’


It's all anecdotal though. E2E crypto conflicts with legal discoverability
requirements so I would expect it to be mostly used for signing rather than
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150209/e2e8f5c8/attachment.html>

More information about the Messaging mailing list