According to James:
I would appreciate some analysis of this proposal, which I think summarizes a great deal of discussion that I have read.
Here is how email encryption should work: [...] * In the default case, the mail client, if there are no keys present, logs in to a keyserver using a protocol analogous to SPEKE, using by default the same password as is used to download mail. That server then sends the key for that password and email address, and emails a certificate asserting that holder of that key can be reached at that email address.
Are you saying that the keyserver creates the public-private key pair for the user? That doesn't sound like a good idea.
Each email address, not each user, has a unique key, which changes only when and if the user changes the password or email address.
How do you prevent that a user creates a key/certificate for an email address the user doesn't own.
* The email client learns the correspondent's public key by receiving signed email.
Unless you use certificates issued by a trusted-third party, that's not secure. ciao... -- Lars Eilebrecht lars@evildoer.de