|
Size: 901
Comment: added contents.
|
Size: 4450
Comment: adds caesonia
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| **Page under construction** | = Much easier Email crypto, by fetching pubkey via HTTPS |
| Line 3: | Line 3: |
| Proposal to distribute pubkeys via HTTPS to make Email crypto much easier. | == How does it work? As an email user, you just select the recipient(s) and can see that the email will be encrypted. If you and your peers use email-providers offering this "service", it works by the first email. Otherwise encryption will start after you have exchanged some emails. |
| Line 6: | Line 10: |
| * [[EasyGpg2016/PubkeyDistributionConcept]] <- the details * http://www.openpgp-conf.org/program.html#werner http://www.openpgp-conf.org/2016/openpgp-2016-simple-key-discovery.pdf * http://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.pdf * [[http://www.golem.de/news/web-key-service-openpgp-schluessel-ueber-https-verteilen-1609-123194.html|Golem news about WKS (in German)]] * [[http://www.heise.de/newsticker/meldung/Spezifikation-fuer-die-Verteilung-von-OpenPGP-Keys-per-HTTPS-veroeffentlicht-3317914.html|Heise news about WKS (in German)]] * [[http://lists.gnupg.org/pipermail/gnupg-de/2016-September/000547.html|"Anwerkungen zum Web Key Service" 2016-09-11 Werner Koch]] |
Technically your email client will automatically * prepare for this by creating a crypto key for you and uploading it to your provider (or second best to public keyservers). * sign all emails so others see that you are ready for crypto (unless you opt out) * ask the mail provider of your recipients for their pubkeys. An email-provider supporting privacy can * provide a pubkey for users via ~HT~TPS, called "web key directory" (WKD). * allow each user's email client to automatically manage the pubkey that gets published by email, called "web key service" (WKS). * (if offering web-based email:) support the client part as well. == Details / Discussion **[[EasyGpg2016/PubkeyDistributionConcept|Pubkey Distribution Concept]] <- the (technical) details** * 2016-09-08 ~OpenPGP.conf presentation by Werner Koch: [[https://www.openpgp-conf.org/program.html#werner|Abstract]] [[https://www.openpgp-conf.org/2016/openpgp-2016-simple-key-discovery.pdf|Slides.PDF]] * 2016-09-08 ~OpenPGP.conf presentation by Bernhard Reiter, pages 21-24 [[https://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.odp|Slides.ODP]] [[https://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.pdf|Slides.PDF]] * 2016-09-09 //[[http://www.golem.de/news/web-key-service-openpgp-schluessel-ueber-https-verteilen-1609-123194.html|OpenPGP-Schlüssel über HTTPS verteilen]]// Golem news by Hanno Böck * 2016-09-11 //[[https://www.heise.de/newsticker/meldung/Spezifikation-fuer-die-Verteilung-von-OpenPGP-Keys-per-HTTPS-veroeffentlicht-3317914.html|Spezifikation für die Verteilung von OpenPGP-Keys per HTTPS veröffentlicht]]// Heise news by Johannes Merkert * 2016-09-11 //[[http://lists.gnupg.org/pipermail/gnupg-de/2016-September/000547.html|Anmerkungen zum Web Key Service]]// gnupg-de@ by Werner Koch * 2017-07-28 Draft 04 of the specs published (see details page linked above). * 2017-10-10 LWN covers [[https://lwn.net/Articles/735840/|Werner Koch's talk at Kernel Recipies 2017]] |
| Line 14: | Line 42: |
== Implementations === Current GnuPG 2.2 * WKD lookup since v2.1.12, enabled by default since 2.1.23. Widespread rollout in 2017 because the old GnuPG 2.0 is scheduled end-of-life December 2017. * WKS server and client tools since GnuPG v2.1.14 which may help some providers (especially smaller ones) see the [[WKS|Web Key Service page]]. === Mail User Agents (Note that mail users agents using a modern GnuPG 2.2 will automatically do WKD requests via GnuPG. So they are WKD ready.) ==== Automatic pubkey bootstrapping (using the Web Key Service) * Thunderbird/[[https://www.enigmail.net/index.php/en/download/changelog|Enigmail 2.0]] comes with WKD lookup and WKS publishing (since 2018-03-25). * basic (pre-release) Kontact Mail/KMail support (part of EasyGpg2016) * basic (pre-release) Thunderbird/Enigmail support (part of EasyGpg2016) * active consideration in planning for mutt * active consideration in planning for GpgOL (Gpg4win's Outlook Plugin) === Mail Service Providers * [[https://posteo.de/en/|Posteo]] offers web key directory lookup and service for {{{@posteo.de}}}-addresses (**Since 2016-12**) * [[https://netzguerilla.net|netzguerilla]] offers web key directory lookup. (**Since 2017-10-11**) * [[https://mailbox.org/en/|mailbox.org]] **plans** to offer web key directory lookup in Q2 2018 (coming with [[https://knowledgebase.open-xchange.com/roadmap.html#21|OX Guard 2.10]]). * (Self)-hosted email servers that run [[https://github.com/vedetta-com/caesonia/|caesonia - an OpenBSD Email Service]] setup. * (gnupg.org) Testing accounts by request for developers implementing WKS in Free Software ~MUAs. * (Several smaller organisations. Like - unsurprisingly - g10code.com and intevation.de. //Let us know if you want to be publically listed.//) ==== WKD stand-a-lone (without WKS) * [[WKDHosting|wks-tools]] helps to publish a single pubkeyring via static ~H~TTPS. |
Much easier Email crypto, by fetching pubkey via HTTPS
How does it work?
As an email user, you just select the recipient(s) and can see that the email will be encrypted.
If you and your peers use email-providers offering this "service", it works by the first email. Otherwise encryption will start after you have exchanged some emails.
Technically your email client will automatically
- prepare for this by creating a crypto key for you and uploading it to your provider (or second best to public keyservers).
- sign all emails so others see that you are ready for crypto (unless you opt out)
- ask the mail provider of your recipients for their pubkeys.
An email-provider supporting privacy can
- provide a pubkey for users via HTTPS, called "web key directory" (WKD).
- allow each user's email client to automatically manage the pubkey that gets published by email, called "web key service" (WKS).
- (if offering web-based email:) support the client part as well.
Details / Discussion
Pubkey Distribution Concept <- the (technical) details
- 2016-09-08 OpenPGP.conf presentation by Werner Koch: Abstract Slides.PDF
- 2016-09-08 OpenPGP.conf presentation by Bernhard Reiter, pages 21-24 Slides.ODP Slides.PDF
- 2016-09-09 OpenPGP-Schlüssel über HTTPS verteilen Golem news by Hanno Böck
- 2016-09-11 Spezifikation für die Verteilung von OpenPGP-Keys per HTTPS veröffentlicht Heise news by Johannes Merkert
- 2016-09-11 Anmerkungen zum Web Key Service gnupg-de@ by Werner Koch
- 2017-07-28 Draft 04 of the specs published (see details page linked above).
- 2017-10-10 LWN covers Werner Koch's talk at Kernel Recipies 2017
The elaborated proposal is a result of the EasyGpg2016 contract.
Implementations
Current GnuPG 2.2
- WKD lookup since v2.1.12, enabled by default since 2.1.23. Widespread rollout in 2017 because the old GnuPG 2.0 is scheduled end-of-life December 2017.
- WKS server and client tools since GnuPG v2.1.14 which may help some providers (especially smaller ones) see the Web Key Service page.
Mail User Agents
(Note that mail users agents using a modern GnuPG 2.2 will automatically do WKD requests via GnuPG. So they are WKD ready.)
Automatic pubkey bootstrapping (using the Web Key Service)
- Thunderbird/Enigmail 2.0 comes with WKD lookup and WKS publishing (since 2018-03-25).
- basic (pre-release) Kontact Mail/KMail support (part of EasyGpg2016)
- basic (pre-release) Thunderbird/Enigmail support (part of EasyGpg2016)
- active consideration in planning for mutt
- active consideration in planning for GpgOL (Gpg4win's Outlook Plugin)
Mail Service Providers
- Posteo offers web key directory lookup and service for @posteo.de-addresses (Since 2016-12)
- netzguerilla offers web key directory lookup. (Since 2017-10-11)
- mailbox.org plans to offer web key directory lookup in Q2 2018 (coming with OX Guard 2.10).
- (Self)-hosted email servers that run caesonia - an OpenBSD Email Service setup.
- (gnupg.org) Testing accounts by request for developers implementing WKS in Free Software MUAs.
- (Several smaller organisations. Like - unsurprisingly - g10code.com and intevation.de. Let us know if you want to be publically listed.)
WKD stand-a-lone (without WKS)
- wks-tools helps to publish a single pubkeyring via static HTTPS.