Okay, so what would a secure email alternative look like?
Can we design a system such that sending a message from alice@foo.com to bob@bar.com is reasonably secure and private? How does Signal/NOISE solve this? Why can those not be applied to non-messaging systems (or, at least more traditionally structured messaging systems - which is itself a questionable definition since email threads are a hack, its mostly just independent blobs)?
I guess I'm off to read the whitepapers for NOISE and Signal tonight to see how the models differs.
This is an instance where I'm perfectly happy to talk up Matrix! People would be a lot better off using Matrix than they would be trying to encrypt emails.
This is potentially the most interesting subthread on this otherwise well trod discussion. Some large entities (German Govt., Mozilla) have announced moves to Matrix. I'm curious as to whether there is anything inherent in the protocol that makes it more efficient for longer-form conversations than Signal (Matrix is also supposed to be for IM after all).
I would love to see a protocol added, so that when alice composes an email a request is sent to bob@bar.com with a special header to retrieve bob's private key. This in turn would be signed with a cert from bar.com, which in turn is signed by one of the same trusted CA's used for HTTPS traffic.
Is there anything like this currently implemented / standardized?
ActivityPub will bootstrap public keys from WebFinger (over TLS/HTTPS).
Keybase has an even more complicated key escrow-based system (that works for any of their "Proof" types, not just domain ownership) if you trust their clients, where your client generates an ad hoc key for the recipient and essentially a "for bob's ears only" claim and on verifiable Proof from Bob securely exchanges the ad hoc key to Bob's new public key. Which is interesting because it allows for people that haven't yet setup keys to eventually receive them so long as you trust Keybase's clients and their Proof infrastructure.
There's something crappy-ish and similar for email with DKIM. That doesn't sound the same, because it's the server signing, not the sender -- but in this protocol you're kinda already trusting the server anyway. The critical difference is that DKIM is not protected with WebPKI.
Can we design a system such that sending a message from alice@foo.com to bob@bar.com is reasonably secure and private? How does Signal/NOISE solve this? Why can those not be applied to non-messaging systems (or, at least more traditionally structured messaging systems - which is itself a questionable definition since email threads are a hack, its mostly just independent blobs)?
I guess I'm off to read the whitepapers for NOISE and Signal tonight to see how the models differs.