An interesting new approach to encrypting emails and make sure only the intended recipient can decrypt the email: Identity-Based Encryption.
This works by authenticating the email recipient based on their email address the first time they recieve an email. They are given a key and after that they can read all emails based on that key.
My questions in this case are (still resarching):
- What if someone steals their private key? Can they read all the email?
- What if the person moves to another machine that does not have the private key - will they be unable to read their mail?
- What if someone logs in at an Internet cafe to read webmail - is the email they download encrypted and will they get a new private key? In this case will the private key potentially be stored on the Internet cafe computer for abuse by future users of that machine?
It sounds really good...but will have to try it out to see if it actually works in all reality. I'll let you know... probably some encryption and verification is better than none but not sure how foolproof this is.
Another interesting idea would be to verify that the person downloading the mail to read it is contacting a server defined in the SPF records for that domain, otherwise the server storing the mail for download is not legit. Haven't thought through how this could be implemented nor do I know if this is already part of SPF, to be honest.
Identity Based Encryption
I did some additional research and got answers to these and other questions in this Identity Based Encryption Post: http://randominternet.blogspot.com/2007/01/identity-based-encryption_30.html