STEED - Usable end-to-end encryption

Peter Lebbing peter at
Wed Oct 19 21:30:48 CEST 2011

Werner, Marcus,

Thank you for thinking about taking end-to-end e-mail encryption to the next
level. I really like your ideas.

However, I think you're not ambitious enough when you opt for using DNS for key
distribution. Yes, the infrastructure and RR types[1] are already there. But it
brings this nasty dependency on the provider. Because the part of the client
updates to the DNS is a key missing part in the DNS infrastructure as today, and
I don't see providers adding that soon.

I'm thinking more of things like DHT, Distributed Hash Tables, in BitTorrent, or
similar concepts in other peer-to-peer networks. I have no idea how it works :),
but it does. You fire up your BitTorrent, all the data it needs is the hash of a
torrent file, and suddenly it learns IP-addresses of other people who share that
torrent file. If you could do something similar for mapping e-mail addresses to
certificates, you don't need ISP's to implement extra stuff. Because I think
that is a really major hurdle; probably a too steep one, IMHO.

And if you design that infrastructure general enough to do X-to-certificate, we
could use the same infra for opportunistic end-to-end encryption of TCP/IP,
which would be great to have too, but a different paper altogether :).


[1] "Entries" in the DNS, for people not up to DNSpeed ;)
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at

More information about the Gnupg-users mailing list