[messaging] Advertising public key in email (was: TOFU to ease PGP key discovery)

Trevor Perrin trevp at trevp.net
Tue Feb 10 22:33:40 PST 2015

On Mon, Feb 9, 2015 at 5:13 PM, elijah <elijah at riseup.net> wrote:
> Those of us working on email are grappling with the same issues. Many of
> the common issues relate to how different projects will interact with
> one another. This list has had fruitful discussions on key validation,
> but there are other important topics too, for example:

Hey Elijah,

You're raising great questions, I'm going to split this into a few threads...

> (2) We need a new protocol that allows a sender to advertise to the
> recipient what their key is and that they prefer encrypted email. The
> email signature is a good signal, but not ideal because there is no real
> binding between the fingerprint on the signature and the email address
> (unless the provider is in the habit of uploading signatures to the
> public keyservers). The OpenPGP header has the same problem.

Could you expand on what's wrong with existing methods?

Do you just want to convey the sender's public key?  If by OpenPGP
header you mean [1], that allows sending a fingerprint and URL.
That's unfortunately similar to a web bug, but maybe the recipient
could defer fetching the key until they need it to encrypt?

I'm not sure PGP signatures contain the public key or a full hash by
default - so you may be right that signing by itself is insufficient
(signatures don't necessarily "bind" the public key - see
"duplicate-signature key selection" [2]).

Or do you have other goals?
 - convey a key directory where updated keys can be found?
 - convey a signature over the sender's email address?


Per Mike's suggestion I tried this with S/MIME:
 - Got an S/MIME cert, the enrollment was easy with OSX Chrome *but*
only free for personal use, the cert expires in a year, and the cert
could be revoked anytime.
 - Thunderbird couldn't see the cert (doesn't integrate with OSX
keystore), but OSX Mail started signing my messages and picked up
Mike's key from his message (it's too transparent, though - I can't
tell what's encrypted or view fingerprints).  Plaintext drafts of the
messages I'm writing get sync'd through IMAP, which is bad.
 - Exporting my certificate from OSX keychain, then importing into
Thunderbird, was a minor hassle but got encryption/decryption working.
Though my Thunderbird won't sign for some reason.
 - Mike had one failure-to-encrypt (sent plaintext) in a conversation
of a few messages, which he blamed on some "smart card stick" he had
plugged in overriding his regular cert.

Quoting Mike, this feels like "bugs and interop problems nobody ever
fixes because it’s just not a widely used feature. And partly it
doesn’t become widely used because there are lots of rough edges".

But it sort of worked - it would be nice to see more analysis and testing.


[1] http://josefsson.org/openpgp-header/draft-josefsson-openpgp-mailnews-header.txt
[2] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

More information about the Messaging mailing list