Hi All, I'm not sure if this is a topic which has already come up or not (I did a simple search brought nothing up). Anyway, the state of email security is still pretty poor despite much low hanging fruit. PGP is great for those that use it, but they are a small group. TLS seems to be the only wide spread security implementation and I suspect that it has worked because it's transparent to the end users. So, why hasn't key exchange been made to be transparent? Why are (E)SMTP servers not also key servers? Have users generate a key pair on registration, store those keys on the server (in an encrypted archive), and make the public key available. A little coding later and we've got key exchange and message confidentiality. Some extra security can be had by giving mail servers their own keys with which they can sign exchanges (and remember each other). TLS can be used to as part of an initial key exchange if that is desired. Can we not extend smtp again to include the necessary key exchange commands? Is there any movement on this? Jon