search

misskey-dev / misskey

🌎 A completely free and open interplanetary microblogging platform 🚀
https://misskey-hub.net/
GNU Affero General Public License v3.0
10.08k stars 1.38k forks source link

PGP support #14636

Open SoniEx2 opened 1 month ago

SoniEx2 commented 1 month ago

Summary

when sending email, optionally encrypt (not sign) with PGP key

Purpose

using a PGP key (unique per service) helps keep one's email inbox free of spam

Do you want to implement this feature yourself?

KisaragiEffective commented 1 month ago

I don't think so because you trust server admin will not send spammy mail to you disregarding GPG-encryption by registration? Also GPG is unrelated to avoid spam. Spam may able to be signed, ain't they?

temtemy commented 1 month ago

Spam can be signed, but encrypting for each user's public key is not feasible. So signed+encrypted PGP can be a signal to some mail servers to not treat the email as spam. But then that should be moot because the only time your email notification would be sent to junk is during sign-up. Once you unmark them as spam the mail server should pretty much trust every future email from the Misskey instance.

So the only use for this is if you want to keep the content of the notifications secret from your mail server. For that you will definitely need signing (from the Misskey instance's private key) and encryption (from the target user's public key). Without signing you will still get spam if that's your concern (how can you verify the message came from the Misskey instance?)

SoniEx2 commented 1 month ago

by encrypting, you show knowledge of a long, rotateable secret.

if you use it for spam, the user can delete the key. no key, no (way to read the) spam.

temtemy commented 1 month ago

by encrypting, you show knowledge of a long, rotateable secret.

You're confusing PGP with something else then.

if you use it for spam, the user can delete the key. no key, no (way to read the) spam.

If the user delete their public key from the Misskey instance, then the instance should no longer encrypt the email notifications it send to the user no?

SoniEx2 commented 1 month ago

if you use (public) key for spam, user can delete (private) key and be unable to read spam.

a key is both:

"long" means you can't use bots to bruteforce through all possible keys to find a key that'll let your spam through.

"rotateable" means if the public key gets leaked (remember, this is all unsigned, encryption-only) the key can easily be burned and replaced.

finally, "optional" because not everyone wants to put up with key management. in fact, most ppl don't wanna have to think about key management. but for a handful of ppl, the peace of mind is worth the hurdle.

temtemy commented 1 month ago

if you use (public) key for spam, user can delete (private) key and be unable to read spam.

That sounds like a PEBCAK.

not everyone wants to put up with key management. in fact, most ppl don't wanna have to think about key management. but for a handful of ppl, the peace of mind is worth the hurdle.

Well not everyone even knows about PGP so I don't know why you're even suggesting it.

SoniEx2 commented 1 month ago

that's how I'd personally use it, setting up an encrypted-only inbox and keeping track of which services have which public keys.

if you hand out the keys to your "partners" I can track them down and hand you a nice GDPR lawsuit for it (where "you" is the instance admin). this is the intended use-case. to make a lawsuit machine.

a very good lawsuit machine that fights spam in the ways that matter.