Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Working on my second encrypted email project. The first one got some traction but ran out of money.

https://oakmail.io/



I worked for an encrypted email company for ~4 years and I'm pretty familiar with the space.

How do you solve the user experience problem associated with PGP in terms of sharing keys? You cannot send an encrypted email to someone you have never communicated with before, right?

Do you have a blog or anything to follow?


> How do you solve the user experience problem associated with PGP in terms of sharing keys?

Rely on keybase.io and keyservers to offer some potential matches + in the future work on a better protocol for key discovery (e.g. key discovery as an smtp extension). This was talked about before, and in the past our competition showed interest in supporting it.

> You cannot send an encrypted email to someone you have never communicated with before, right?

Yes, unless you generate a keypair as the sibling comment suggests. That's not something we're considering yet, I'm not sure yet how it would affect our policy of "zero knowledge" (misappropriation of a cryptography term, meaning that the server doesn't have access to unencrypted data at any time).

> Do you have a blog or anything to follow?

Subscribe to our mailing list ( https://oakmail.io/ ) or hit me up at my username at google's email service.


The guy who does backend at Oakmail here.

1. Supporting external APIs greatly helps the cause. Keybase, Facebook PGP.

2. Custom protocols for TOFU key sharing. There has been some effort in ModernPGP regarding that. Not a fan of that.

3. Certificate Transparency implemented for WoT. Something that Gary Belvin from Google proposed during 2nd OpenPGP Summit. Pretty cool stuff.

4. Legacy key servers.

People say that you can't make e-mail secure. Sure as hell you can - the protocol is very flexible and if you cooperate with other companies you can at least create a mini encrypted ecosystem for emails. If we finish the product, we could grab a significant market share away from the competitors and get them to implement new features to finally create proper products.


I can't comment on oakmail, but I can tell you how i'm doing it for my project (decentralized mailer/messenger, look for my post on this page). But basically you perform a lookup (X address = Y privatekey). The problem is when your users don't want their pubkeys to be public.

In a nutshell, I create a new keypair using the recipients address as the seed for the keypair. Addresses in my system are similar to bitcoin addresses (I also use elliptical curve encryption) so the addresses have embedded hashes and checksum of the public key.

This means that pubkeys are encrypted and only people with your address can retrieve your pubkey.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: