[messaging] Forward secrecy and multiple devices
nadim at nadim.computer
Fri Oct 31 09:58:14 PDT 2014
------ Original Message ------
From: "Moxie Marlinspike" <moxie at thoughtcrime.org>
To: messaging at moderncrypto.org
Sent: 2014-10-31 12:36:25 PM
Subject: Re: [messaging] Forward secrecy and multiple devices
>On 10/31/2014 09:10 AM, Ximin Luo wrote:
>> "axolotl is forward-secret" doesn't mean "the entire application is
>> The fact that the device stores message history, reduces the
>> effectiveness of having sent the message through a forward-secret
>> scheme like axolotl - an attacker who can compromise the long-term
>> key can just compromise the history itself.
>Protocols are different from the applications that use them. I said
>"can use," because it depends on the application. Maybe the application
>stores nothing, so there's nothing to transmit, but all future messages
>will ephemerally appear synchronized.
Right, but protocols don't operate in an ether. It is the case that, in
order to maintain any modicum of efficiency/speed/usability, generic
messaging applications will in fact need to store some message history.
The protocol doesn't dictate the application's needs outside of
>Or maybe the application does store something, but at some point the
>user decides to delete a message. If you didn't use a PFS transmission
>mechanism, a network attacker still has a copy. Right now I can delete
>a GPG encrypted email that I receive, but I have to be aware that I
>to simultaneously delete my key.
>The protocols that we design should do the best that they can within
>their domain. What an application decides to do with the protocol is up
>to the application, but at least the best possible properties are
>available should the application require them.
>Messaging mailing list
>Messaging at moderncrypto.org
More information about the Messaging