

Why aren't mail servers configured to require public keys? - plg

Why aren&#x27;t mail servers designed so that any mail directed to user X must be encrypted with user X&#x27;s public key?
======
DanBC
SMTP is pretty old. RFC 821[1] is from 1982. RFC 722 (Mail Transfer Protocol)
is from 1980. The early hackers didn't want security; passwords were often the
string PASSWORD for example.

Pretty Good Privacy[2] was first released 10 years later. Cryptography can be
computationally expensive.

There was a bunch of stuff that they just didn't think about when SMTP was
created, and changing the protocols is glacially slow.

For example, Project Gutenberg started when Michael Hart wanted everyone to
have a copy of the US constitution, and started emailing it to everyone. Spam
has been a significant problem for SMTP but nothing really has been put in the
RFCs to help.

Anyone designing a mail protocol wouldn't come up with SMTP, but no-one with
RFC influence is going to create an SMTP replacement, and so we're getting
locked in with easier closed-garden communications. Facebook makes it easy for
me to chat or message someone, but it's horrible compared to the nice RFC
standards.

[1]
([http://www.faqs.org/rfcs/rfc821.html](http://www.faqs.org/rfcs/rfc821.html))

[2]
([https://en.wikipedia.org/wiki/Pretty_Good_Privacy](https://en.wikipedia.org/wiki/Pretty_Good_Privacy))

[3]
([https://en.wikipedia.org/wiki/Project_gutenberg#History](https://en.wikipedia.org/wiki/Project_gutenberg#History))
([http://www.gutenberg.org/wiki/Gutenberg:The_History_and_Phil...](http://www.gutenberg.org/wiki/Gutenberg:The_History_and_Philosophy_of_Project_Gutenberg_by_Michael_Hart))

------
msmitty
Single universal encryption standard indeed. Plus you'd need users to
understand how it works. Teach them how to keep their secret key safe; explain
to them how they are screwed if they ever lose it etc. Then you need to have
users to upload their public keys. I don't see my dad doing this. You can't
have your email provider do it because when your private key is not in your
hands alone, you'll never be certain that it's not abused. Your mail server
software needs to be adapted. Lots of people use Google. They won't encrypt
email by default because then their algorithms won't be able to scan your
email's content for targeted ads. John Q. Email user can't even choose a
decent internet password, let alone understand PKI.

------
tptacek
Because that would require a single universal Internet encryption standard,
and S/MIME never really succeeded as that.

------
a3n
Because email comes from the early internet, when the net was basically
between a relatively few trusted individuals. Then millions, then billions saw
the utility of what existed, and now it's almost too late.

