Easily remembered usernames for chatmail

One issue that I commonly see brought up when I onboard people to Delta Chat is that it’s a bit cumbersome to share the links or QR Codes as the main and only supported way to make contacts, so I was thinking of some possible ways that “usernames” could be implemented on-top of existing chatmail infrastructure (notably NOT the underlying email address, as it’s only used for transport)

starting simple, we could allow users to set usernames at a domain/website, by having the website serve a small file that contains the actual details to a user in a URL like user.example.com, kind of like what ATProto/Bluesky does with their alsoKnownAs field in user identities

to make this work, I’m thinking that the UX should be simple: input a username in the @user.example.com format and have delta automatically resolve the contact data from there

the data would by queried by doing a GET request to user.example.com/.well-known/delta/user, which could contain a response such as:

{
  "avatar": "[data here]",
  "url": "https://i.delta.chat/[contact info here]"
}

the avatar field could be optional of course; to bundle the avatar right into the response it could be encoded to a blob / Object URL that would otherwise be commonly seen in browsers.

Making a GET request to the root, i.e user.example.com / should open a contact page similar to that seen at i.delta.chat already; It could even be identical to the one already served, or just be a redirect to the corresponding i.delta.chat URL seen in the url field

Registering a username

Usernames could have varying degrees of “integration” in terms of how to obtain one. It could be a manual setup process, where one sets up their site to follow the format given above, but that would be tideous.

For a start, it makes the most sense to have the chatmail stack accept setting a username optionally by sending a PUT request containing the data above. This would have to be an authenticated request in one way or another, as to not make it possible to register someone else’s identity without their consent.^[1]

Once the data is sent the chatmail relay could, if it accepts usernames, then setup a subdomain and serve the required data. This assumes that there’s a common mechanism to allow for subdomains to be quickly deployed programatically, but this is not a guarantee. See alternatives below

Alternatives

Webfinger

This could also very much be implemented with the existing WebFinger protocol instead, should there be the need for more easy, standards-based expansion in the future to include additional data without breaking backwards compatibility.

the principle of domains as usernames stays the same, but it would instead respond with a webfinger-compliant response containing roughly the same data as that seen above.

subdomain-less usernames

Alternatively, instead of having domains like user.example.com be the username, it could instead be something along the lines of @user:example.com or @user@example.com (notably any scheme that does NOT collide with existing emails)

how usernames are “served” would then change from being user.example.com/.well-known/delta/user to being example.com/.well-known/delta/user?=@user, indicating a user local to that chatmail relay

it would then give a slightly different response to what’s outlined above, namely:

{
  "username": "@user:example.com",
  "avatar": "[data here]",
  "url": "https://i.delta.chat/[contact info here]"
}

the username field would be required so that the client can compare it with the “expected” username^[2]

This would cut out the need for having the chatmail relay be able to configure subdomains, at the cost^[3] of requiring a different username format.

I am very much looking for thoughts and ideas on this, and pardon me if I missed an open thread about this topic!

1. Although I am not aware of a way that the authentication to the chatmail relay could be re-used in HTTP request as-is without extra software infrastructure work. ↩︎

2. i.e what the user typed into the input field ↩︎

3. if it can even be considered that ↩︎

For convenience, trad email is great.

What’s your email?

It’s alice@example.com.

And if I can type that, I can contact Alice. Easy, plus most people already know how to do it.

The problem is adding E2EE without making the user worry about keys, or even QR codes; we want it invisibly easy.

This is possible. We have a well-tested, secure proof-of-concept. If I tell you about a Debian package called “seahorse”, and you have a Debian-based distro, you can type “apt install seahorse” on you computer and reliably get a secure copy of the package. You will not get malware instead.

If we can reliably transmit software, we can transmit public keys. It can all happen in the background, without further intervention, once I type “alice@example.com” (or “seahorse”…).

Many email servers already publicly serve the public keys of their accounts. If they could be persuaded to mirror one another’s keys, a distrolike fully-automatic background key exchange would be possible. Chatmail servers could adopt this mirroring practice.

We should keep the QR codes as an option, tho.

Since you are already downloading a file, you can as well download a vCard (.vcf) file, the same as Delta Chat sends when you share a contact internally. vCard already contains an avatar and public key and will soon contain bio/signature, so you don’t need to wait until you receive a response before you can send a message.

We generally try to discourage publishing invite links or QR codes - they were meant for establishing contact in private (ideally in person, but also over existing messenger, in direct messages etc.).

I’m sorry, I was unclear. I meant that if Bob sends a message to alice@example.com, Bob’s client looks up the public key for that address, checking with multiple mirrors to make it hard to spoof. Then his client uses the key. Bob never sees this automated key lookup and encryption (parallel: I don’t see apt checking sigs and comparing checksums). To Bob and Alice, it’s exactly like sending unencrypted emails.

The key could be in vCard form; Alice and Bob wouldn’t need to know.

Is it possible to manually load vCards into a Deltachat client now? That would be great. Or allowing manual import of contacts from my keyring? That would be really useful, too. But I was talking about something fully-automated.

Interesting ideas here. I agree that a simpler mechanism to share contact info has a lot of potential.

One potential drawback is the possibility of a hostile key mirror enabling spam, but I’m not aware that anything like this has happened yet and it’s probably premature to worry about.

Another question to consider is trust design, like in the thread here:

For some people’s threat model, the convenience of an online key lookup can outweigh the potential for impersonation, and techniques like key mirroring can reduce this risk further.

I get you, but sometimes it can make sense to have a public account, for example if you’re representing a business or organization and you want the general public to be able to contact you, in which case it’s not always necessary to verify the other person’s identity. In this scenario, a “trust on first use” model seems sufficient to me. It’s still better than other options which might be available to the public, like sending an unencrypted email or using WhatsApp.

However, the app should still encourage users to scan contacts’ QR code at the first opportunity.

While there is an analogy here about the verification happening invisibly in the background, in the Debian example you already have the key on your device, so it’s a bit different. If we want an analogy for the key exchange problem, the question is not how to securely install a package once we already have Debian installed, but how can we securely install Debian itself starting from scratch?

Yes, I think it has been possible for some time. Just import it into a chat like you would with any file, and the vcard will appear in the chat.

If you export your contacts from your keyring into .asc format you can then use the .asc to vcard app by @r10s to convert them into vcards and manually import them. However there’s nothing fully automated that I’m aware of.

To clarify, in my analogy, the Deltachat keys are analogous to the distro software packages. Distros come with some keys, but they do not come with every package in their database.

When a user wants a new package/public key, they need to securely download it. Getting the wrong key or the wrong software is a serious failure.

So my argument is that distros reliably deliver verified software, and a parallel system could reliably deliver verified keys.

The distro system is very well-tested at this point, having been widely used for over two decades for essential stuff like keeping web servers secure. So we have strong reason to believe that the risk of a hostile key mirror allowing spam is similar to the risk of an apt-install installing arbitrary code: extremely low.

The mirror risk might actually be lower than the risk of the QR code system, since people sometimes let others use their phones, or leave them unattended, among other vulnerabilities. Certainly it would be safer than a vCard acquired over an insecure channel. There are reasons distros don’t make users do their own key management manually!

Belatedly taking link2xt’s point. It would make sense to send a vCard, fields the owner did not want published could be ommitted.

You could also mirrorpublish gateway contact info, and switch to a more private account once you’d established an encrypted channel.

oh yeah, I wasn’t aware it uses vCard under the hood but that makes perfect sense too! no need to have 2 different data formats for the same contents

Correct, but for others it doesn’t. A simple UI distinction of the verification trust level would solve this, like I proposed here.

Strongly agree. Actually, there is extensive research on what info is included in an effective warning, mostly by biologists studying alarm calls (which unlike 1-bit mechanical human-made alarms, are usually information-rich, more like the verbal warnings people give each other).

As far as I know, there is currently no way to download a Deltachat client that does not trust a single website’s http-over-TLS connection (short of reading the code and compiling it yourself). Deltachat is known to have multiple state-level adversaries. Downloading keys for individual contacts over TLS, with mirror checks, would not be the weakest link.

It seems that keyservers are moving towards this sort of mirror architecture already. A standard for invisibly securely acquiring keys and encrypting mail seems necessary for making e-mail E2EE widespread. A standard for verifying keys in person is also a very good idea. A clear way to tell the user what sort of trust to give to a comms channel seems necessary, too.

If these standards were specific to Deltachat, they would be substantially less useful, if much easier to implement securely.

Desktop clients are now signed using the key here and the signatures are in the download directory (but not yet displayed on the main download page).

Android clients have been signed for a long time already and if you use F-Droid they verify it for you anyway.

Well, the user is always the weakest link!

When does a distro such as Debian need to download a new public key for a package in its database?

I see this as a fundamentally different type of risk.

You’re quite right, there are multiple ways to download Deltachat clients that are duplex TLS or better. I was just thinking on my own distro (Mobian), which is still experimental, so my complaint was utterly unreasonable.

When I said “new package/public key”, I meant “new package (in a distro) or new public key (in a key distribution system)”. My phrasing was unclear; I was trying to express an analogy. I’m trying to say this: if one has a system for securely downloading novel packages on request, one can make a similar system for securely downloading keys on request. In the old system, the packages contained software; in the similar system, the “packages” contain keys instead.

Extending the analogy, installing Debian is like installing a Deltachat client; some keys may be included, and later used to download new data (including new keys).

Debian’s techniques for securing its packages have changed over time, but it’s been rotating its keys for decades, I think initially once per release. I believe packages are signed using (mirror-specific) subkeys rather than having individual keys. New versions of packages are made available at unpredictable intervals, and are signed using whatever keys are current at the time.

TUF, The Update Framework, has abstract consideration of the problem. The threat model for malicious actors compromising software distribution seems somewhat similar to that of malicious actors compromising distribution of chat keys.

Of course there are some differences; in-person meetups are far less feasible for software, Chatmail servers need to be easier to run than distro mirrors, and, importantly, the true authority for a keys is the individual enduser.

The current model for Deltachat is “do not trust the server at all, trust a direct connection between the endusers” (currently, in-person QRcode scan or nonce invite link).

Conceptually, I really like this method; I very much want DC to retain it. But practically, I can talk to almost everyone I know by conventional email, and I can only talk to three people over Deltachat, due to assorted blockers. A fully-automated, zero-effort way to establish E2EE mail would encrypt more of my communications even if it was compromised and completely useless 80% of the time.

I can’t think of a good way to fully automate key exchange without trusting a third party or a group of third parties (with mutual checking). I believe I’m already trusting the mailservers with my mail metadata (and webmail servers are always a MITM); I’d be willing to trust them to do an initial key exchange. Autocrypt’s trust-on-first-use strategy of just sending the public key in an Autocrypt header would also work. A group of well-reputed public keyservers works. Multiple routes could crosscheck.

And then I’d check the provided keys in-person or via other channels whenever I could. The more mailclients supported such checks (ideally with automated discrepancy reporting), the easier it would get. Some human-readable key hashes could provide additional checks.

But this is all inexpert suggestions at solutions; I might be better off posting problems at 🚧 Adoption Blockers: What is the most anoying missing Feature to you? - #52 by adbenitez

(and I still can’t figure out how to add a contact from a vcard )