[messaging] TOFU to ease PGP key discovery

Mike Hearn mike at plan99.net
Wed Feb 11 03:00:10 PST 2015

> > If you want to try it out, grab a free cert here
> https://www.comodo.com/home/email-security/free-email-certificate.php
> In my mind, this would be an example of onerous: max key size of 2048,
> limited to personal use, requires a horrible legal agreement, not
> automated.

Well, it's automated to the extent that all you do is type in your email
address and click the validation link that is sent, which isn't much harder
than signing up for a website. The browser knows how to generate a private
key, upload the public certificate part, insert it into the OS keystore
where other apps can find it, etc.

It'd be nice if email clients could trigger the very first stage themselves
via some API though, for sure.

The reason it's limited to personal use is that issuing and managing
certificates has a cost. Let's Encrypt appears to be handling that cost by
getting big corporate sponsors to cover it, rather than cross-subsidising
from charging for corporate usage. But ultimately you still have to place a
bet on *someone* being willing to do the work for free over the long run. I
don't see any way around that. There is work to be done, someone has to do

If anything, cross-subsidisation looks like a more predictable business
model than relying on Mozilla/Akamai/the EFF to always foot the bill.

> It also has mind share,
> which is a not an insignificant consideration. You would be hard pressed
> to leak something to Glen Greenwald using S/MIME.

Well, Glenn didn't use PGP originally, right? He only got set up because
Snowden went to the extreme of making video tutorials showing him how to do
it, and even then, initial attempts at contact were a failure.

If you're going to show someone how to get set up, then I suspect it's
either a wash, or easier with S/MIME as the software is likely already
installed (modulo bugs in unmaintained clients).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150211/a6c77b3b/attachment.html>

More information about the Messaging mailing list