On Sun, Jan 24, 2021 at 9:15 PM <jam...@echeque.com> wrote: > > 1) This is perhaps an obvious question (I've got to start somewhere, > after > > all), but what is the downside of the simplest possible solution, which I > > think would be for all participants to publish a public key to some > common > > key server, and then for each participant in the chat to simply > re-encrypt > > the message N-1 times -- once for each participant in the chat (minus > > themselves) using each recipient's public key? > > This does not work in itself, because what assurance do you have that > you are seeing the same public key as everyone else? >
Yes, this does assume a central keyserver -- and I agree, it's possible that it lies to you, establishing a connection with someone other than who you requested (or even a man-in-the-middle). I don't know how to really solve that for real without some out-of-band confirmation that the public key returned by the keyserver (whether centralized or distributed) matches the public key of the person you want to talk to. > 2) I would think the most significant problem with this ultra-simple > design > > is just performance: asymmetric encryption is just too expensive in > > practice to use for every single message, > > Nah, because its cost in human generated messages is absolutely > insignificant, particularly if you are using ed25519 or, better, > ristretto25519 > I think you are saying that performance isn't a real world concern, but forward secrecy is? If so, that makes sense. -david
