One-Sided Forward Secrecy for Anonaddy with DANE and OpenPGP #729
Closed
CrypticCommit
started this conversation in
Feature Requests
Replies: 1 comment
-
|
I just realized that almost no one, except by chance my DNS provider, supports the Dane/OpenPGP DNS record, including UpCloud. π’ One option is to use WKD (Web Key Directory) for all aliases, even without DNSSEC. This would let you check web server logs to see if someone is testing the email aliases (to send spam). However, this has a privacy downside: the operator of anonaddy could see when the key was accessed in the logs, along with the IP address of the potential email sender. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I propose that Anonaddy automatically create an OPENPGPKEY record (RFC 7929) for each new alias via a DNS management API. This would allow senders to use a unique public key for each alias and send encrypted messages to Anonaddy.
Currently, PGP/GPG lacks forward secrecy, meaning that if a private key is compromised, all previous messages can be decrypted. This poses a security risk and contributes to the dislike of PGP/GPG. Regularly rotating these OPENPGPKEY records could mitigate this issue, as each sender would use a new key for every email. After rotation, Anonaddy should forget the corresponding private key.
This would provide forward secrecy on the sender's side, which is an improvement since Anonaddy users have no control over the sender's infrastructure.
You can find a simple OPENPGPKEY record generator here: OpenPGPKey Records Are Cool.
What do you think?
Beta Was this translation helpful? Give feedback.
All reactions