sigit/docs.sigit.io
8
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tidy up
All checks were successful
Release to Production / build_and_release (push) Successful in 17s
Details

Browse Source
This commit is contained in:
_ 2025-01-13 00:46:49 +00:00
parent 40fa68b587
commit ceb2425fe9
1 changed files with 18 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
emailflow.md
View File

@ -1,27 +1,33 @@
# Email Flow
In creating an email flow that maintains PRIVACY and SECURITY whilst also being convenient to use, the following principles were observed:
In creating an email flow that maintains PRIVACY and SECURITY whilst also being convenient to use, the following principles are observed:
- Keypair must be generated client-side
- Keypair must be protected by a long and complex password
- Keypair must be protected by a strong password
- It must be possible to change the password
- It must remain possible to work offline
- It must be possible to work offline
- Network traffic must not contain identifying metadata
All of the above is achieved using a high level signup flow as follows:
All of the above are achieved using a high level signup flow as follows:
1. User provides email and complex password
2. These are used to encrypt a locally generated keypair into a backup
1. User provides email and long (min 21 chars) password
2. These are used to encrypt a locally generated keypair
3. Email address, Public Key and encrypted backup are sent to the server
4. Account is validated
4. Email address is validated
5. Account is activated
The password is only used to encrypt/decrypt the local backup and is never stored or sent anywhere.
The password is only used to encrypt/decrypt the local backup and is never stored or sent outside of the browser
When perforing a login, the flow is:
When perforing a regular login, the flow is:
1. Generate a temporary key pair for secure server communication
2. Validate the email
3. Provide the encrypted keypair for the user to unlock
1. Validate the email
2. Provide the encrypted keypair for the user to unlock
When performing a password reset:
1. Change the pasword locally
2. Re-encrypt the keypair using the new password
3. Send the new backup to the server
All key signing / encryption operations happen on client side using [private class properties](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Classes/Private_properties).