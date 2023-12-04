Hello Vivaldi developers,

I am writing this to ask whether the Vivaldi Email server, the Vivaldi Roundcube webmail interface and the Vivaldi Browser Email client will support OpenPGP, S/MIME and Autocrypt in the future.

OpenPGP does not really require server side support other than Autocrypt and Storing the PGP keys behind an encryption password. The Relavant RFCs for OpenPGP are RFC 4880, RFC 3156, RFC 6637, RFC 6091, RFC 5581, RFC 7291, RFC 4880-bis, OpenPGP Web Key Directory, Shared OpenPGP Certificate Directory, The OpenPGP HTTP Keyserver Protocol (HKP), Abuse-Resistant OpenPGP Keystores and Forward Secrecy Extensions for OpenPGP. The standards without an RFC number are still relevant to the OpenPGP standard but have not been ratified. All of these are linked to from https://www.openpgp.org/about/standard/. In order for Vivaldi Webmail and Vivaldi Email to be interoperable, they must know how to connect to openpgp keyservers. These servers are hkps://keys.openpgp.org, https://keyserver.pgp.com, hkps://pgp.mit.edu, hkps://mail-api.proton.me, hkps://keys.mailvelope.com, hkps://keyserver.ubuntu.com, hkps://keyring.debian.org, hkps://pgp.surf.nl, https://flowcrypt.com/lookup (or hkps://attester.flowcrypt.com ???) and the LDAP server of the email provider if one is detected. Vivaldi Email should support LDAP via OpenLDAP 2.6.6 or later and use this to distribute the complete openpgp public keys of users that configure them.

Now on to S/MIME,

S/MIME 4.0 is specified in RFC 8551 at https://www.rfc-editor.org/rfc/rfc8551. S/MIME does not use keyservers in the same way as openpgp. Rather, it defines a lookup for S/MIME certificates. A certificate needs to be negotiated with the email server. Key Escrow should never be used in the vivaldi email community due to increased liability for vivaldi technologies as well as violating the trust of the vivaldi community. The best way to avoid liability for end-to-end encryption is to e2e encrypt everything all the way or not at all.

It is important the vivaldi email server support autocrypt to make end to end encryption easy. It is defined at https://autocrypt.org/index.html and the latest version is 1.1.0. Domain Keys identified mail is also important to prevent the spoofing of the vivaldi mail server. DKIM is specified at https://www.rfc-editor.org/rfc/rfc6376.txt with updates by RFC 8301, RFC 8463, RFC 8553, and RFC 8616. DKIM is dependent on DANE, which is specified athttps://datatracker.ietf.org/doc/html/rfc7671 based on RFC 6698.

Notes: When RSA encyption is used, keysizes should be no less than 4096, and each PGP permission should have its own 4096 bit subkey for Identity, Sign, Encrypt, Encrypt and Sign and for Key Revocation to make it harder to compromise the complete key. A similar approach should be used for S/MIME if possible. When elliptic curve cryptography is used, keysizes should be as big as possible for the specific curve, although keysizes less than 384 bits should never ever be used. NIST-P521, NIST-B571 and ECDSA-4096 are acceptable, but the encryption implementation for elliptic curve cryptography should always assume a level of security one half of the keysize, since this is well known for ECDSA and might also apply to NIST-P521 and NIST-B571. I encourage Vivaldi Technologies to participate in the process to standardize OpenPGP with algorithms resistant to shors and grovers algorithm. Crystals-Kyber, NTRU, NTRU-Prime and Classic McElice should be included, along with the Crystals-Dilithium, FalconSign and SPINCS+ digital signature algorithms. AES-256, Anubis-320, Kalyna-512, ThreeFish-1024, RC6-256, CAST6-256, Blowfish-256, ChaCha-256 and Kuznyechik-256 with extreme caution due to the fact that a man in the middle attack has been demonstrated to be effective up to 5 round of kuznyechik. Kyznyechik is specified to use 10 rounds of encryption on a 256 bit key, so the only reason for Kuznyechik being in the list of symmetric ciphers I endorse being used in OpenPGP and S/MIME is for Russian government federation end users who have no choice despite the fact that the algorithm is not secure and should not be used. If the Russian Federation wants to put their secrets as risk by requiring the use of an algorithm that is only half as secure as it is designed to be, it is their choice to make it easier for their cool shit and war crimes to get leaked. I also endorse poly1305, SHA3-512, SHA3-Shake256, MD6-512, Skein-1024, (1024 bit state size) Blake3, Grøstl-512 and JH-512. I recommend that the listed hash functions that support arbitrary output sizes use a 512 bit output size for efficiency. So long as the protocol is secure, then it will not need any changes, just changes to the underlying cryptography.

