Section 3 describes one-time keys, that are sent with messages to
allow a the recipient to reply with immediate forward secrecy
(immediately after receipt).
I wonder if we could use a one-time key server to avoid the need for
interactive use of email (need a reply from the recipient to get a key
to reply to).
Lets say we add a new function to keyservers which is that you submit
a whole bunch of keys, and it hands them out on request, and deletes
them after they've been received.
I guess there's a pretty easy DoS there -- someone just goes and
repeatedly downloads all available keys, to deny others the ability to
obtain one-time keys.
There might be some weak approaches to resist this DoS (eg refuse to
provide more than one one-time key per time period to the same IP
address), but they are just that -- weak.
Adam