Hi,
This is my first email to this mailing list, so apologies in case it does not
follow any specific standard procedure. It is however a genuine thought and
hope it is relevant to the SMTP standard.
Some context -
With rising data privacy concerns, more and more users are starting to adopt
end-to-end encrypted communication methods or zero-knowledge solutions. However
the interoperability of related services remains very limited.
Specifically looking at end-to-end encrypted email providers, the general
implementation approach follows the below high-level workflow -
- Consider that Bob would like to send an end-to-end encrypted email to Alice
- Bob creates a new draft email in the email interface of his preferred
end-to-end encrypted email provider
- While Bob drafts his email to Alice, all draft versions are stored encrypted
in Bob's server side draft email folder using his own public key
- Once Bob finishes his email to Alice and selects the send option, his email
application retrieves the public key for Alice, encrypts the email with her
public key and transmits the email using the standard email protocols available
- In parallel a copy of the sent email is stored in Bob's sent items, again
encrypted with his own public key
Since the availability of the recipients public key is fundamental to such
end-to-end encrypted email implementations, the interoperability between
end-to-end email providers depends on standards for public key exchanges. It is
hereby assumed that the actual used crypto-system for encrypting emails using
the public keys, does not represent a challenge for email providers.
In order to address this interoperability issue in a standards centric
approach, the proposal is the addition of a new SMTP command to allow the
retrieval of a recipients public key prior to the transmission of a mail. This
will enable the sender to encrypt the email content before the same is
transmitted through the existing SMTP commands.
Such a Get Key (GETK) or Public Key (PKEY) command in the SMTP standard would
take an email address as a parameter and if implemented return the public key
the mailbox user.
As the SMTP standard is widely adopted, the introduction of such a command
could exponentially increase the adoption of more secure email communication.
Alternative options such as the use of separate and dedicated key stores to
solve this issue have not only be unsuccessful to drive higher security for
email communication, but they also operate outside of the established standards
and infrastructure deployed by email providers across the globe.
Even for using utilizing encryption programs that operate outside of the email
ecosystem, e.g. PGP, such an extension can provide more trusted option to
retrieve the public key from the recipients email provider.
Many thanks for your consideration.
Best,
Patrick P
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp