🔐 Every unencrypted email is readable by 10+ entities and stored forever.

grant_h@mastodon.social

@nicfab My use case is a school. Teachers and students. Particularly the counselling staff. It has to be easy and seamless, and resetable by our admins.
Unfortunately, the big companies have no incentive to make our email private, and every incentive to make it easy to join. The precise opposite of so many FOSS projects. We will persevere!

nicfab@fosstodon.org

@grant_h Go ahead!

seecurity@infosec.exchange

@nicfab @Fr333k Just an observation: that's a long blog post, with a lot of words and with a lot of computer commands and that somewhat contradicts the sentence "WKD makes encrypted email as simple as HTTPS made web browsing secure."

Nothing is simple with OpenPGP and email and that's broadly documented in academia and annecdotes. WKD does not change that.

If you absolutely positively must use email for sending sensitive info, use S/MIME.

nicfab@fosstodon.org

@seecurity @Fr333k You’re right that nothing in email crypto is ever “simple” — WKD doesn’t change the complexity of OpenPGP itself. However, it does solve a particular problem that has long blocked adoption: key discovery.

That doesn’t contradict the analogy with HTTPS — it’s about lowering friction, not erasing complexity.
And yes, S/MIME can be smoother in some contexts, but WKD gives domains a way to make OpenPGP more usable in practice.

seecurity@infosec.exchange

@nicfab @Fr333k Email crypto is extremely complex and because of this, has plenty of attack surface. We published close to 10 papers in the last seven years attacking email and email encryption with OpenPGP and S/MIME.

I am at the point where I find recommending email encryption to be actively harmful. Metadata leaks all over the place, crypto from the '90s, plaintext fallbacks everywhere, user hate it, in particular the gnupg devs are very toxic, mail client developers lack time and (too often) expertise to implement it properly.

Just use Signal. If you got budget, build an app on top of Signal. Heck, just use WhatsApp. Just don't even try to send sensitive information with email encryption.

nicfab@fosstodon.org

@seecurity @Fr333k

It’s true: email crypto has flaws and decades of technical debt. But saying “just use Signal or WhatsApp” trades one problem for another — centralized silos controlled by single entities, which is even worse for long-term resilience, governance, and privacy.

WKD won’t magically fix email, but it removes real barriers and raises the baseline. Abandoning open, federated protocols entirely in favor of walled gardens is not a sustainable path.

chiefbongo@mastodon.social

@nicfab I already have a webserver for my website using my own domain name, do I need a second one or is it possible to combine this somehow?

Really interesting, first I hear of it. Thanks for sharing it!

nicfab@fosstodon.org

@chiefbongo WKD is for a single domain name only. They cannot be combined, but you can have multiple WKD configurations for numerous domain names on the server.

thedarktangent@defcon.social

@nicfab @yawnbox I was checking out the defaults on Thunderbird and it looks like this feature is off by default unfortunately. They must not want to delay sending by doing the extra lookups?

nicfab@fosstodon.org

@thedarktangent @yawnbox I don't know.