Why not distribute public keys via SMTP?

2013-07-15

One of the hurdles to end-to-end email encryption is key distribution. Doing this manually ensures that only technical people will bother, so why not automate it via some protocol? A natural method would be to extend SMTP so the sender can ask if a user’s key exists, and if so then use that to send the message, e.g. like this:

HELO relay.example.org
250
MAIL FROM:<bob@example.org>
250
KEY FOR:<alice@example.com>
250
--- BEGIN PGP PUBLIC KEY BLOCK ---
...
--- END PGP PUBLIC KEY BLOCK ---
RCPT TO:<alice@example.com>
...

The KEY FOR capability could also be discoverable via the common EHLO command:

EHLO relay.example.org
250-smtp.example.org 
250-KEYS    
...

Why hasn’t this been suggested before? Googling I found only one link. Is there some flaw with it?

blog comments powered by Disqus Prev: Basics of Web Architecture Next: Paperclip with Server-Side Files