One alternative to SMTP for email: Confidant Mail
2014-667rhzu3dc-lists-groups at riseup.net
Fri Mar 27 00:24:09 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
On Thursday 26 March 2015 at 9:26:35 PM, in
<mid:5514798B.7020402 at confidantmail.org>, Mike Ingle wrote:
> Yes, the email address is just an identifier. The
> address is used in two ways. One, it is hashed with
> SHA1 and used to look up the user's key id.
I'm in favour of hashing email addresses in key UIDs.
> At present, there is no key verification built in and
> you have to check the key fingerprint (which is always
> shown to the right of the address) or check a signature
> chain on your key using a GPG key manager.
Or you can Trust On First Use, if it suits your threat model.
MFPA>>The intro page on your website says "SMTP-compatible
>>address format: keep your existing email address".
>>Have you checked whether google (or any other email
>>provider) might have something to say about using
>>addresses at their email domain name on a completely
> They very well might, if I was the one making such
> claims. The claim is made by whoever created the key,
> and it is just a claim.
You are the one stating that the user can keep their existing SMTP
email address to use on CM. Given that you do not have a process in
place to verify the user's SMTP email address, I think that is a
pretty bold statement.
Any thoughts on the possible outcomes when a high-profile
politician/celebrity/company with deep pockets finds they are unable
to effectively use their SMTP email address on CM due to messages
showing a key collision and the automatic lookup refusing to match
because somebody got the address first? Maybe nothing, but worthy of
> It's much like using a gmail
> address as your username on a website - purely a
> shortcut identifier. Not to be trusted.
I have used websites and services where usernames are email addresses,
but not without some form of challenge/response. (Click the link in
the email, reply to the email, enter the code that was in the
encrypted email, etc.)
MFPA <mailto:2014-667rhzu3dc-lists-groups at riseup.net>
Change is inevitable except from a vending machine
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users