[aborsy]

It’s a disaster because email providers don’t want to offer E2EE or make it easy.

Is it that hard to generate a certificate for each email address client side and store that, and the private key encrypted with the user’s password, on the provider’s server?

The majority of email is gmail and Google could make that E2EE by default.

Countless products that have successfully implemented public key distribution (proton mail, instant messaging, …).

[bigfatkitten]

This would be a reasonable proposition if the entire Internet mail system was run by 3-4 operators, and there were no mail clients at all other than service provider webmail.

Unfortunately, the real world is much more complicated than that.

[pas]

that's not the hard part. it's the out-of-band key exchange. (or key discovery/verification. so basically how to avoid the trust on first time use problem.)

[aborsy]

The certificate contains email address as ID, and email is verified automatically or by an initial email verification (TOFU trust model).

If Google, Microsoft and Apple offer E2EE similar to Proton, the majority of email will be encrypted, as long as both sides use the same service, or globally if these companies share public keys for public key discovery.