Just as with OTR - (http://www.cypherpunks.ca/otr/) for XMPP, would it be possible, or feasable to implement something like that for email, as a server-side addition?<p>- User alice@example.com types and sends email for bob@server.com
- Mailserver from example.com contacts mailserver at server.com
- They do a Diffie Hellman key exchange and MTA at example.com uses that key to encrypt this specific email message
- It passes as encrypted plaintext over the internet
- The MTA at server.com recieves the encrypted message, decrypts it, and discards the key.<p>It would have a few of the drawbacks of MTA ssl, because both ends have to support it, but it does provide better protection against private key leakage.<p>What are your thoughts and opinions on this?
Basically, Diffie Hellman is a key exchange algorithm, without authentication. So using just this algorithm would not protect from MITM.<p>But the OTR protocol can be effectively adapted to email. It would need a few emails to establish the original key exchange, but that's not too hard to do. In fact, TextSecure, an Android app (soon on iOS) already does OTR like that for SMS.<p>The real problem with a system like this is deciding how you would authenticate the person with whom you're communicating. Pre shared key? PGP-signed message?
How is this different from using SMTP+STARTTLS with a DHE (or other forward-secret) ciphersuite? In currently deployed systems, if you have that enabled, it does exactly as you describe. The transfer over the internet is encrypted, but the receiving MTA decrypts the message and stores it as plaintext.