I'm conceptually really curious about various aspects but before I forget - this time - I'd like to ask two broader questions first:
- Is this in any way an officially "backed" project in any way? Part of a thesis or what-not lets say? - (To everyone) Why is there almost never a discussion on RFCs and talking something down the pathway of "what would it take to make a standard out of this"? Not endorsing or panning anything, just trying to think about different aspects first this time. I will say one thing - I think it's ~perfectly OK~ to "break" certain aspects of email legacy support (say the POP/IMAP question) because, any way we cut it, we're going to end up transitioning from a good chunk of the email paradigm "we" know if we're ever going to get broad adoption. So I do like the idea of trying to solve the new problems introduced in different ways and chart out risk measurements in terms of users "not us".. Cheers, -Ali On Fri, Aug 23, 2013 at 4:53 AM, DC <dcpo...@cs.stanford.edu> wrote: > Hi everyone, > > I'm DC, and I've been lurking here for a few weeks :) > > Since the NSA leaks, I've been inspired to work on an old dream: end-to-end > encrypted email. > > One difficult problem in public-key encryption is key exchange: how to get a > recipient's public key and know it's really theirs. > My plan is to make make your email the hash of your public key. > For example, my address is nqkgpx6bqscsl...@scramble.io > (I borrowed this idea from Tor Hidden Services.) > > This lets you build an email system with some nice properties: > * It's webmail. I want something easy to use and understand, unlike PGP, so > that nontechnical people can grok it. > * Webmail has an inherent weakness: if push comes to shove, the NSA can > compel a Scramble server to serve bad Javascript to their users. I want to > give users the option to install the app as a Chrome extension. Same HTML, > CSS, and JS, but served locally, so the server is untrusted. > * You can look up someone's public key from an untrusted server, and verify > that it's actually theirs. > * Anyone can run a Scramble server > * It's open source > * All email between Scramble addresses is encrypted. Both Subject and Body > are encrypted via PGP. > * With some precautions, it's possible to avoid associating your real > identity with your email address at all. This means that even From and To > can be anonymous. > > Feel free to try it out! https://scramble.io/ > > Here's a more thorough description of my design and my motivations: > https://scramble.io/doc/ > Finally, here's a more thorough description of the technical details: > https://scramble.io/doc/how.html > > Thoughts? > Best > DC > > -- > Liberationtech is a public list whose archives are searchable on Google. > Violations of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > compa...@stanford.edu. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
