I'd like to discuss a thought that has come up in my work on k9 mail:
Using OpenPGP in E-Mail without relying on keyservers.
Important use-case.
If we don't have bandwidth constraints, we can solve this by sticking
the public key block right next to every signature we make, which
effectively eliminates the need for keyservers (with the possible
exception of the distribution of revocation certs). However, it also
adds ~10kb of size to every signature. This is a rather extreme
approach, and although 10kb are not a lot these days, they add up.
Not necessarily -- I don't think you have to add all signatures to the
key for this use-case to work, do you? If you just include a stripped
public key, verification of the signature will work. It should be max
1-2kb I would guess.
To counteract this, we can significantly reduce the number of attached
public keys if we are just a little bit clever about the decision of
when to add it. Roughly, it makes sense to attach the public key to
the first message of a conversation with each recipient.
It sounds good in theory, but I don't think that will work. Let's
compare how I use e-mail clients. I use k9, claws, evolution, webmail,
and probably several other clients that I forgot. I don't read all
emails in all clients, of course. I only read the emails that I need
in the client I happen to have available. So if you only include the
public key in the first message of a conversation, the majority of my
clients would never see that email because of my usage pattern. None
of any newly installed MUA would ever see the email, which over time
tends to approach 100% of my MUAs since I re-install most of them from
time to time.
Now it may be that my usage pattern is a corner case, but I believe it
is typical for many users today.
Another question is, where to place the key. In email, we have two
options: in a separate mime part, or directly next to the pgp
signature data.
You could put it in the email header too. It would be bizare for
larger keys, but at least possible in theory.
Also, the OpenPGP mail/news url field header was intended to provide an
indirect way to support this:
http://josefsson.org/openpgp-header/
You still have some of the keyserver privacy concerns, and require
a network connection, but I'd just like to mention it as another option
to consider.
I favor the second option, for two reasons:
I agree it could work. Write an I-D describing the approach and try to
get MUA client support for it.
/Simon
pgp_9XIujh6Ct.pgp
Description: OpenPGP digital signatur
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp