🔐 Every unencrypted email is readable by 10+ entities and stored forever.

nicfab@fosstodon.org

@delta @Blort 3/3 - That's why I see WKD and projects like DeltaChat as complementary rather than competing — WKD improves the email baseline. At the same time, Delta pushes the boundaries of what email-based messaging can achieve. Different tools for different threat models and use cases.

thedarktangent@defcon.social

@nicfab @yawnbox I have lived through essentially the same issues with PGP keys in DNS, hashes of SMime keys in DNS, MTA-STS, DANE for SMTP, automatic SMIME using SMILE, etc.

I hope WKD does better! But I fear that without a solution to local email search it will be a victim of its own success, or you will have to put so much information in the subject line to remind you what is in the encrypted body that some privacy is lost.

tudobem@social.tchncs.de

@nicfab @PierricD thank you! would it be okay if I get back to you with questions in case they come up along the way?

nicfab@fosstodon.org

@thedarktangent @yawnbox I share your concern — past attempts (PGP in DNS, DANE, SMILE, etc.) struggled with adoption. WKD isn’t a complete solution, but it’s worth setting up: it removes a key barrier and makes encrypted mail more usable, even if challenges like local search and subject-line leaks remain.

nicfab@fosstodon.org

@tudobem @PierricD Of course, feel free to reach out anytime.

grant_h@mastodon.social

@nicfab
Reading the article, I can't see how this works out in a hybrid situation - where not all your email recipients are using WKD. Am I missing something?
You mention the strength of email being its own prison - we need something that would encrypt where possible, and fall back to plaintext where not (with warning). HTTPS was not implemented across the board overnight.

nicfab@fosstodon.org

@grant_h 1/2 You're right — WKD alone doesn't handle the hybrid scenario. It's just key discovery, not the complete solution.
For opportunistic encryption, you need WKD plus smart clients: Thunderbird, DeltaChat, and others already do this — they check for keys via WKD/Autocrypt, encrypt when possible, and fall back to plaintext with warnings.

nicfab@fosstodon.org

@grant_h 2/2 - Think of it like HTTPS adoption:

- WKD = certificate infrastructure (like Let's Encrypt)
- Autocrypt/client logic = protocol negotiation
- Warnings = mixed content alerts

So yes, the ecosystem supports "encrypt when possible" — WKD makes finding keys automatic. The clients handle the graceful degradation you're looking for.

grant_h@mastodon.social

@nicfab My use case is a school. Teachers and students. Particularly the counselling staff. It has to be easy and seamless, and resetable by our admins.
Unfortunately, the big companies have no incentive to make our email private, and every incentive to make it easy to join. The precise opposite of so many FOSS projects. We will persevere!

nicfab@fosstodon.org

@grant_h Go ahead!

seecurity@infosec.exchange

@nicfab @Fr333k Just an observation: that's a long blog post, with a lot of words and with a lot of computer commands and that somewhat contradicts the sentence "WKD makes encrypted email as simple as HTTPS made web browsing secure."

Nothing is simple with OpenPGP and email and that's broadly documented in academia and annecdotes. WKD does not change that.

If you absolutely positively must use email for sending sensitive info, use S/MIME.

nicfab@fosstodon.org

@seecurity @Fr333k You’re right that nothing in email crypto is ever “simple” — WKD doesn’t change the complexity of OpenPGP itself. However, it does solve a particular problem that has long blocked adoption: key discovery.

That doesn’t contradict the analogy with HTTPS — it’s about lowering friction, not erasing complexity.
And yes, S/MIME can be smoother in some contexts, but WKD gives domains a way to make OpenPGP more usable in practice.