<div dir="ltr">Yep. There definitely is that issue. At some point, you should delete interval keys to protect you from a TLA dropping your messages in transit and then sending a black bag team into your house/cave/press office or grabbing your computer at the border. At least that decision is completely an OPSEC consideration and one that varies considerably between users. For some, an hour is probably too long. For others, 24 hours might be on the short side. But it's a completely free choice (you can even change it after making your keys) for individuals or for application developers using libforwardsec. And unlike previous schemes, if you choose a long window you are not exposing messages you did receive.<div><br><div>I think this is an inherent problem with the intersection of offline delivery and forward security. If I recall correctly, TextSecure faces a similar trade off on when to delete prekeys. <br><br></div></div><div>- Ian (apparently that one)</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Sep 5, 2015 at 3:28 PM, Ian Goldberg <span dir="ltr"><<a href="mailto:ian@cypherpunks.ca" target="_blank">ian@cypherpunks.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ian,<br>
<br>
Overall, a very nice scheme, and it's great you're producing<br>
production-quality code for it!<br>
<br>
There's still the potential issue I asked about at the end of your<br>
Oakland talk, though: the forward secrecy only kicks in if the intended<br>
recipient actually _receives_ the original message, which is a slightly<br>
different property than "traditional" forward secrecy. If the TLA<br>
(three-letter agency) doesn't just snoop the message, but actually<br>
intercepts (blocks) it, they can come a-knocking an arbitrary(*) time<br>
later to the intended recipient to compel the key that will decrypt it.<br>
<br>
(*) Up to when you _do_ decide to delete old keys, which is when you<br>
give up on any messages that arrive late/desynchronized.<br>
<br>
- Ian (not that one)<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Messaging mailing list<br>
<a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/messaging" rel="noreferrer" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br>
</div></div></blockquote></div><br></div>