/gist:485c7eefe512e9026d23bc213ae5bab5

## gistfile1.txt
Challenge-response...

User sends request for (email_address, pubkey) pairing certification.

Autosigner receives the request and responds to the address with a secret. Message is encrypted to the user's pubkey.

User receives (and decrypts) the secret. They send the secret back to the autosigner in a reply. They sign their reply.

Autosigner checks the secret and the signature on the message. If it checks out, then the autosigner signs the email UID, certifying the email-pubkey link.

Autosigner emails it to the user and (optionally) publishes it to the keyservers directly.

U letspgp_request { email, pubkey }
S letspgp_challenge { secret }
U letspgp_response { secret }

U letspgp_request { email, pubkey, sig }
S letspgp_challenge { encrypt(pubkey,secret) }
U letspgp_response { secret, sig }

Can also check PGP Key Records:
DNS PKA Records
PGP CERT Records
IPGP CERT Records

Holistic checks:
SPF/DKIM/dmarc
Dnssec

Autosigners may have several different signing keys for use depending on how confident they are in the legitimacy of the user's requested email-pubkey association.

Strong (spf, dkim, dnssec, pka)
Good (spf, dkim)
Basic (spf)

Autosigners signatures should expire and be automatically renewed. A user should be able to have multiple pubkeys associated to a single email address (because why not).

Letspgp clients should come preseeded with verification methods for autosigners.

http://keyserver.mattrude.com/guides/public-key-association
http://www.gushi.org/make-dns-cert/HOWTO.html
https://grepular.com/Publishing_PGP_Keys_in_the_DNS

This is kind of like certificate authorities. But the letspgp trust model lies somewhere in between CA and WOT. You are free to get verified by several autosigners (this is recommended) and clients can implement heuristics of their choosing based upon these signatures.

https://www.google.com/amp/www.macg.co/logiciels/2016/04/thunderbird-le-developpement-continue-la-reprise-par-pep-en-pause-93770%3famp

https://prettyeasyprivacy.com/faq/
When will Enigmail/p≡p be available?

Enigmail/p≡p will be available in November/December 2016. These first releases will encrypt and verify email only and a follow on release which includes anonymization and messaging will be available later in 2016/2017.

https://mail.mozilla.org/pipermail/tb-planning/2016-February/004493.html
Thunderbird and Pretty Easy Privacy - current status

https://pep-project.org/2015-09/s1441611880
Enigmail and p≡p are partnering together for developing Enigmail/p≡p

https://wiki.gnupg.org/OpenPGPEmailSummit201512
	Challenge-response...

	User sends request for (email_address, pubkey) pairing certification.

	Autosigner receives the request and responds to the address with a secret. Message is encrypted to the user's pubkey.

	User receives (and decrypts) the secret. They send the secret back to the autosigner in a reply. They sign their reply.

	Autosigner checks the secret and the signature on the message. If it checks out, then the autosigner signs the email UID, certifying the email-pubkey link.

	Autosigner emails it to the user and (optionally) publishes it to the keyservers directly.

	U letspgp_request { email, pubkey }
	S letspgp_challenge { secret }
	U letspgp_response { secret }

	U letspgp_request { email, pubkey, sig }
	S letspgp_challenge { encrypt(pubkey,secret) }
	U letspgp_response { secret, sig }

	Can also check PGP Key Records:
	DNS PKA Records
	PGP CERT Records
	IPGP CERT Records

	Holistic checks:
	SPF/DKIM/dmarc
	Dnssec

	Autosigners may have several different signing keys for use depending on how confident they are in the legitimacy of the user's requested email-pubkey association.

	Strong (spf, dkim, dnssec, pka)
	Good (spf, dkim)
	Basic (spf)

	Autosigners signatures should expire and be automatically renewed. A user should be able to have multiple pubkeys associated to a single email address (because why not).

	Letspgp clients should come preseeded with verification methods for autosigners.

	http://keyserver.mattrude.com/guides/public-key-association
	http://www.gushi.org/make-dns-cert/HOWTO.html
	https://grepular.com/Publishing_PGP_Keys_in_the_DNS

	This is kind of like certificate authorities. But the letspgp trust model lies somewhere in between CA and WOT. You are free to get verified by several autosigners (this is recommended) and clients can implement heuristics of their choosing based upon these signatures.

	https://www.google.com/amp/www.macg.co/logiciels/2016/04/thunderbird-le-developpement-continue-la-reprise-par-pep-en-pause-93770%3famp

	https://prettyeasyprivacy.com/faq/
	When will Enigmail/p≡p be available?

	Enigmail/p≡p will be available in November/December 2016. These first releases will encrypt and verify email only and a follow on release which includes anonymization and messaging will be available later in 2016/2017.

	https://mail.mozilla.org/pipermail/tb-planning/2016-February/004493.html
	Thunderbird and Pretty Easy Privacy - current status

	https://pep-project.org/2015-09/s1441611880
	Enigmail and p≡p are partnering together for developing Enigmail/p≡p

	https://wiki.gnupg.org/OpenPGPEmailSummit201512