[messaging] Secure OpenPGP Key Pair Synchronization via IMAP (RFC)

Vincent Breitmoser look at my.amazin.horse
Fri Apr 10 06:11:07 PDT 2015


Hi Tankred,

the draft mentions that OpenPGP has S2K transforms to protect private
key material, which you specifically don't use because they don't
protect the integrity of the public key material. If we assume that the
fingerprint is still known, the all information besides the private key
material is available in the usual append-only fashion from keyservers.
Can you elaborate on this design decision?

 - V

On 8 Apr 2015, Tankred Hase wrote:

> Hi there,
>
> we've updated our private key synchronization protocol. The new
> version was developed together with Cure53 and it's much simpler
> than the old protocol:
>
> https://blog.whiteout.io/2015/04/08/secure-pgp-key-sync-a-proposal-contd/
>
> The Enigmail developers have also expressed interest, so we would be
> open to standardize it as an RFC if enough vendors back it.
>
> Thanks for any feedback.
>
> Kind regards,
> Tankred


More information about the Messaging mailing list