Organizations
Organizations are the last part of an address and they have their own rules on how and when to accept new mail accounts.
They CAN be used for "namespacing".. like we have a regular john!, and a john@work! and even john@bitmail!.
But, with the namespacing, you have to realize that the mail address IS NOT YOURS!! The organization (bitmail! in this case, could simply remove your address, and give it to somebody else). Even though this is possible, one of the key pillars behind creating BitMaelum is ownership. There are simply too many (horror)stories of people losing their email addresses to ignore this fact.
However, within organizations, often there is a need for a bit of control on the addresses. This however means that IN NO WAY it's possible for organizations to read or write emails on behalf of their members.
Organizations can do the following:
- invite users to their organization
- remove users from their organization (by removing them from the key resolver)
- force users to register on specific mail servers only
It is NOT possible to create an organization account without an explicit invitation code from the organization.
First, we need to create an organisation. This organisation is stored in your local account vault.
bm-client organisation create --org example --name "example organisation"
This can take a while, as organizations need a large proof-of-work.
In order to build trust for an organization, you can add different kinds of validations to the organization. FOr instance, you can link it to domain names so we can simply validate if the organization owns a certain domain name. It's also possible to use other validation methods like keybase or GPG keys.
You cannot add validations yet in bm-client.
Next, we need to add users. We can allow users to pick their own mail-server, or force users to use your mail server.
bm-client organisation invite --routing-id ... -o example --account john@example!
This will create a token for the user to create an account on the specific server pointed at routing-id. This token is similar to a regular invitation token of a server, except it is signed by the organization instead of the mail server.
A user will receive the organization token, and can exchange this into an account in pretty much the same way as a regular account:
bm-client account create --account john@example! --name "john @ example" --token YjhlN2JiMzQ2ZWIxNjEx.....
Q: How can we be sure an address is really part of the organization: A: an organisation address can only be added to the keyserver when it's signed with the organization private key. For this, we use the organisation token.
Q: How do we remove a user? A: The user can remove itself (since it has its private key), or the organisation can do this: we can check if a given signature is signed with the organiation private key.
