[messaging] Forward secrecy and multiple devices

Nadim Kobeissi nadim at nadim.computer
Fri Oct 31 09:58:14 PDT 2014

------ Original Message ------
From: "Moxie Marlinspike" <moxie at thoughtcrime.org>
To: messaging at moderncrypto.org
Sent: 2014-10-31 12:36:25 PM
Subject: Re: [messaging] Forward secrecy and multiple devices

>On 10/31/2014 09:10 AM, Ximin Luo wrote:
>>  "axolotl is forward-secret" doesn't mean "the entire application is
>>  forward-secret".
>>  The fact that the device stores message history, reduces the
>>  effectiveness of having sent the message through a forward-secret
>>  scheme like axolotl - an attacker who can compromise the long-term
>>  key can just compromise the history itself.
>Protocols are different from the applications that use them. I said
>"can use," because it depends on the application. Maybe the application
>stores nothing, so there's nothing to transmit, but all future messages
>will ephemerally appear synchronized.
Right, but protocols don't operate in an ether. It is the case that, in 
order to maintain any modicum of efficiency/speed/usability, generic 
messaging applications will in fact need to store some message history. 
The protocol doesn't dictate the application's needs outside of 
cryptographic guarantees.


>Or maybe the application does store something, but at some point the
>user decides to delete a message. If you didn't use a PFS transmission
>mechanism, a network attacker still has a copy. Right now I can delete
>a GPG encrypted email that I receive, but I have to be aware that I 
>to simultaneously delete my key.
>The protocols that we design should do the best that they can within
>their domain. What an application decides to do with the protocol is up
>to the application, but at least the best possible properties are
>available should the application require them.
>- moxie
>Messaging mailing list
>Messaging at moderncrypto.org

More information about the Messaging mailing list