------ Original Message ------
From: "Moxie Marlinspike" <[email protected]>
To: [email protected]
Sent: 2014-10-31 12:36:25 PM
Subject: Re: [messaging] Forward secrecy and multiple devices
On 10/31/2014 09:10 AM, Ximin Luo wrote:
"axolotl is forward-secret" doesn't mean "the entire application is
forward-secret".
The fact that the device stores message history, reduces the
effectiveness of having sent the message through a forward-secret
scheme like axolotl - an attacker who can compromise the long-term
key can just compromise the history itself.
Protocols are different from the applications that use them. I said
"can use," because it depends on the application. Maybe the application
stores nothing, so there's nothing to transmit, but all future messages
will ephemerally appear synchronized.
Right, but protocols don't operate in an ether. It is the case that, in
order to maintain any modicum of efficiency/speed/usability, generic
messaging applications will in fact need to store some message history.
The protocol doesn't dictate the application's needs outside of
cryptographic guarantees.
NK
Or maybe the application does store something, but at some point the
user decides to delete a message. If you didn't use a PFS transmission
mechanism, a network attacker still has a copy. Right now I can delete
a GPG encrypted email that I receive, but I have to be aware that I
need
to simultaneously delete my key.
The protocols that we design should do the best that they can within
their domain. What an application decides to do with the protocol is up
to the application, but at least the best possible properties are
available should the application require them.
- moxie
--
http://www.thoughtcrime.org
_______________________________________________
Messaging mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/messaging
_______________________________________________
Messaging mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/messaging
