One alternative to SMTP for email: Confidant Mail

Mike Ingle mike at confidantmail.org
Thu Mar 26 22:26:35 CET 2015


 > From the bit of testing I did with it, it seems the "email address" is
 > merely used as a user identifier. The domain is irrelevant. You could
 > use nobody at nonexistent-domain.com and it would still work. The email
 > address doesn't actually have to exist.
 >
 > I don't think it does since the email address you use is in no way tied
 > to the actual address. It is linked to the AUTH code generated by the
 > server during user setup and that's about all. I used this e-mail
 > address during the server/client setup test and I never received
 > anything from the Confidant server I set up. From what I gathered
 > reading through the docs, the Confidant protocol doesn't use domain
 > names as identifiers, but each user has a specific identifier. The email
 > address is just a more human readable way of referring to their
 > identifier on the server. I could be wrong though and I'm sure Mike can
 > explain it better.

Yes, the email address is just an identifier. The address is used in two
ways. One, it is hashed with SHA1 and used to look up the user's key id.
Two, you can search for a key using DNS, which means take the part of
the email address after @, prepend "cmsvr.", look up the corresponding
TXT record, and use that to find the CM server with the key.

At present, there is no key verification built in and you have to check
the key fingerprint (which is always shown to the right of the address)
or check a signature chain on your key using a GPG key manager.

If you get two keys with the same address, messages will show a key
collision and the automatic lookup will refuse to match. This reduces
the problem of someone making a key matching someone you know and
sending you an email that would otherwise look correct.

In the future, what I want to do is have some basic level of trust
assigned when (a) the key is fetched from a server which is listed in
the TXT record for the domain in the email address of that key and (b)
the server has a commercial SSL certificate for cmsvr.DOMAIN. That would
give some small amount of trust, roughly equivalent to SSL website
trust, to strangers using the system. It should provide
better-than-nothing security to careless people (at least stop passive
monitoring, but not active attacks), and good security to people who
exercise some caution.

 >The intro page on your website says "SMTP-compatible address format:
 >keep your existing email address". Have you checked whether google (or
 >any other email provider) might have something to say about using
 >addresses at their email domain name on a completely unrelated
 >service?

They very well might, if I was the one making such claims. The claim is
made by whoever created the key, and it is just a claim. It's much like
using a gmail address as your username on a website - purely a shortcut
identifier. Not to be trusted.

 >And does the Confidant Mail setup do any sort of challenge/response
 >over SMTP to check the user controls the email address they are
 >duplicating as a Confidant Mail address?

No. There is no authority in a position to do that. CM can run in a
purely peer-to-peer mode, and bogus keys are currently the biggest
threat to CM security (and to any encrypted email system that does not
have a central authority.) Check the fingerprint. Hopefully CM users
will put their address plus fingerprint on social media profiles,
email sig block, etc. Any hacking would therefore be public.

Mike



More information about the Gnupg-users mailing list