[messaging] Google End-to-End plans on using key directories with a CT-like verification protocol

Bruce Leidl bruce at subgraph.com
Thu Aug 28 13:20:10 PDT 2014

On Thu, Aug 28, 2014 at 2:18 PM, Moxie Marlinspike
<moxie at thoughtcrime.org> wrote:
> So my question is, how is this better than doing the following:
> 1) Transmitting identity keys in-band.
> 2) Doing TOFU for keys seen.
> 3) Make the client notifying the user when a key changes, if the user
> has a key change notification preference set.
> 4) Leaving the key change notification preference off by default.

Suppose Google receives a subpoena to intercept encrypted email
between alice at gmail.com and bob at gmail.com requiring Google to  apply
all technical capabilities available to them.  Google knows with
certainty if Alice and Bob have transmitted keys to each other and if
they haven't yet traded keys Google can silently intercept all future
encrypted messages whether notification is enabled or not.  On the
other hand if they have already exchanged keys, Google can just fire
off interception keys to one or both sides since in the majority of
cases this is also going to work according to the demographic
assumptions you laid out earlier.  In the rare case that the
interception attempt is detected Google just shrugs it off since
they've both met their legal obligation and user has been protected.


More information about the Messaging mailing list