Created
May 28, 2017 06:54
-
-
Save anonymous/485c7eefe512e9026d23bc213ae5bab5 to your computer and use it in GitHub Desktop.
Letspgp Prove Email
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Challenge-response... | |
User sends request for (email_address, pubkey) pairing certification. | |
Autosigner receives the request and responds to the address with a secret. Message is encrypted to the user's pubkey. | |
User receives (and decrypts) the secret. They send the secret back to the autosigner in a reply. They sign their reply. | |
Autosigner checks the secret and the signature on the message. If it checks out, then the autosigner signs the email UID, certifying the email-pubkey link. | |
Autosigner emails it to the user and (optionally) publishes it to the keyservers directly. | |
U letspgp_request { email, pubkey } | |
S letspgp_challenge { secret } | |
U letspgp_response { secret } | |
U letspgp_request { email, pubkey, sig } | |
S letspgp_challenge { encrypt(pubkey,secret) } | |
U letspgp_response { secret, sig } | |
Can also check PGP Key Records: | |
DNS PKA Records | |
PGP CERT Records | |
IPGP CERT Records | |
Holistic checks: | |
SPF/DKIM/dmarc | |
Dnssec | |
Autosigners may have several different signing keys for use depending on how confident they are in the legitimacy of the user's requested email-pubkey association. | |
Strong (spf, dkim, dnssec, pka) | |
Good (spf, dkim) | |
Basic (spf) | |
Autosigners signatures should expire and be automatically renewed. A user should be able to have multiple pubkeys associated to a single email address (because why not). | |
Letspgp clients should come preseeded with verification methods for autosigners. | |
http://keyserver.mattrude.com/guides/public-key-association | |
http://www.gushi.org/make-dns-cert/HOWTO.html | |
https://grepular.com/Publishing_PGP_Keys_in_the_DNS | |
This is kind of like certificate authorities. But the letspgp trust model lies somewhere in between CA and WOT. You are free to get verified by several autosigners (this is recommended) and clients can implement heuristics of their choosing based upon these signatures. | |
https://www.google.com/amp/www.macg.co/logiciels/2016/04/thunderbird-le-developpement-continue-la-reprise-par-pep-en-pause-93770%3famp | |
https://prettyeasyprivacy.com/faq/ | |
When will Enigmail/p≡p be available? | |
Enigmail/p≡p will be available in November/December 2016. These first releases will encrypt and verify email only and a follow on release which includes anonymization and messaging will be available later in 2016/2017. | |
https://mail.mozilla.org/pipermail/tb-planning/2016-February/004493.html | |
Thunderbird and Pretty Easy Privacy - current status | |
https://pep-project.org/2015-09/s1441611880 | |
Enigmail and p≡p are partnering together for developing Enigmail/p≡p | |
https://wiki.gnupg.org/OpenPGPEmailSummit201512 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment