Status: Work in progress
The software components we plan to change or consider as part of the contract:
- email clients (Kontact Mail and Thunderbird with Enigmail as example for others)
- GnuPG backend
- a service located at the email service provider
- central fallback server
- classic certificate ("key") server
How should an improved email client work?
User A wants to send a signed/encrypted email to user B. A has only the email address of B. A's email client gets the OpenPGP (public) certificate from B's email service provider (step 1+2) which is used to encrypt the email to B.
How should an improved GnuPG backend work?
User A wants to send a signed/encrypted email to user B. The email client of A needs the certificate of B. The client asks via GpgME [1a] or directly via gpg command [1b] for the certificate with the email address of B. Gpg checks if the certificate is already in the local store of public keys . If not, the Dirmngr is called  to ask the Email Service Provider of B [4a]. If there is no certificate the Dirmngr asks the fallback server [4b]. Only if [4a] and [4b] have no results for the requested email address the classic certificate ("key") servers are used to find a matching certificate for B [4c]. If Dirmngr gets a certificate for B it is sent back to gpg command  which imports it into the public key store and sends it back to the email client . Now the email client can encrypt the email to B.