"Current notices about Posteo: News, developments, background information and media appearances."


New: Posteo public key directory

Created at 04.December 2015, 15:30 | Category: Info

Dear Posteo users and interested parties,

It is our desire to make the exchange of public keys for end-to-end encryption easier and more secure. Today we have taken a first step to this end: You can now publish your public PGP or S/MIME key in our new Posteo key directory and thereby also securely in the DNS, the internet’s so-called telephone book. In the coming weeks we will be progressively activating further options for the new Posteo key directory.

For a while now, various players in the area of internet security have been working on making the exchange of keys for end-to-end encryption easier and more secure. Public keys are to be securely stored and made available in the DNS. To this end, new, free standards will soon be adopted. For a long time, behind the scenes, we have worked on simplifying the key exchange process in multiple steps, to occur in line with the new standards. So far, the standards remain in draft format, but we consider them advanced enough that we have begun to use them.

The technical designation for the upload of PGP keys was determined some months ago. Over the last few months we engaged ourselves in the responsible working group, such that the DNS parameters for S/MIME keys also be determined by IANA, which is responsible for administration of the DNS in the internet. For us, S/MIME is an equally worthy and just as important encryption standard.

On Tuesday, the organisation also determined the technical designation for lodging S/MIME keys in the DNS.

Your public S/MIME or PGP key used to encrypt emails can therefore now be securely added by us to the DNS. There, others can find your key and use it to encrypt emails to you. Your key is stored in the key directory secure against falsification with standards OPENPGPKEY and SMIMEA, which are soon to arrive. This process corresponds to DANE technology: DANE secures TLS server certificates in the DNS, while OPENPGPKEY and SMIMEA secure (against falsification) public keys used for email communication, in the DNS. Keys for end-to-end encryption that are published in the DNS are also secured with DNSSEC, as for DANE.

Through the use of security technologies such as NSEC3, we also prevent the mass-collection of email addresses and keys from the DNS: A key can only be retrieved for a specific email address known to the person searching. This actively prevents the misuse of the DNS as a source of email addresses for spammers.

OPENPGPKEY and SMIMEA are to constitute an alternative to previously widespread key servers, which exhibit multiple problems:
Until now, anyone can upload your public key to worldwide key servers, even if you personally do not want this. In addition, anyone can upload a falsified key for you. Keys that are uploaded there can no longer be deleted. This results in multiple as well as outdated or incorrect keys for an email address being found in key searches on the worldwide key servers. On the key servers, a multitude of valid email addresses are saved, and can be found by spammers who request email addresses from key servers on a mass scale in order to send spam to these addresses. Anonymity is also affected by the key servers: With OpenPGP, anyone can see who has declared their “trust”, similar to a social network. Thus social connections can be openly viewed for each person. The new process at Posteo is implemented without exhibiting any of these weaknesses.

The Posteo key directory is found in the settings of your Posteo account, under “PGP and S/MIME encryption”.

Before uploading your key to the Posteo key directory, please check whether it conforms to the Posteo guidelines. To protect your privacy, you can only upload a key that contains your Posteo email address or one of your aliases, among other things.

The new OPENPGPKEY technology is already implemented in the standard software GnuPG, and Verisign is working on an SMIMEA plugin for Thunderbird. We hope that the dissemination of OPENPGPKEY and SMIMEA proceeds quickly, so that the exchange of public keys becomes easier and more secure.

Best regards,

The Posteo team