[messaging] Multiple devices and key synchronization: some thoughts

carlo von lynX lynX at i.know.you.are.psyced.org
Fri Jan 2 01:47:08 PST 2015

Trevor, interesting, but there is a huge gain in having an offline
or airgapped master key: You can not only re-issue any key that may
have fallen into the wrong hands, if your protocol is sufficiently
advanced you can prune all the messages from the history that you
didn't actually write yourself. By the time your peers come online
you might already have cleaned out all the SPAM that was sent in
your name. I think this is a huge advantage of master-key-signed

Tony, I would like to challenge the idea of necessity of a "bootstrap
message" - that is to write to a person by either using her master
key or encrypting to all currently known keys. If you are in a social
relationship with that person you must have absolved a communication
bootstrap procedure (using QR codes, shared secrets, social graph
adoption or bluetooth handshake.. whatever) and thus you should be
having an ongoing ephemeral key for each person you talk to. Both
Briar and Pond use ephemerals once the communication is started. The
challenge in this case is rather to synchronize the ephemerals among
the devices, and that can be done with a pubsub channel link between
the devices. Doesn't that make sense?

Maxwell, introducing a dependency on a master server to maintain the
master key doesn't sound very safe to me. I like that in our model
we can generate all the key material offline, then print the master
private key on a sheet of paper and wipe the computer's memory of it
before getting online.

On Mon, Dec 29, 2014 at 08:17:27PM -0800, Joseph Bonneau wrote:
> This is a nice protocol but it's solving a different problem being
> discussed initially in this thread. I think it's worth starting from the
> high-level user experience we want here before diving into the crypto,

Yes, I think people can be motivated to use an offline computer
for a few minutes to generate keys and have actual physical paper
to put in a safe place. From then on they don't need to worry as
much about the safety of their devices since they have the power
to revert any failures.

> because people are already discussing crypto protocols which provide a
> pretty different UX. Ignoring setup/pairing, which is a pain in almost any
> protocol, there are three possible versions of the "multi device UI" which
> have already been proposed in this thread:

Do you mean setup/pairing of devices or people? For people there is a viable
safe shortcut using social graph adoption, but it needs the implementation
of a distributed private social graph. For devices the same technology used
for social graph can also be used for linking personal devices, thus keeping
devices in sync is no longer an issue. I don't see a need for any of the
following scenarios and the implied disadvantages:

> *A user has multiple devices, any one of which can read messages if it is
> online (Trevor's #2/3/4 all fit here as do all of David's proposals)
> *A user has multiple devices, one "master" (or "home server") of which must
> be online for the user to be able to read messages at any other device
> (this was Trevor's #1)
> *A user has multiple devices, two of which must be online to sign something
> and set up a channel (2-Schnorr?)
> There are many other combos when you get in to issuing/revoking/changing
> keys. For example, you might also use the 2-Schnorr protoocl only to
> protect some meta-key to sign other device keys, and not for routine
> messages.
> In any case, I would advocate that any system needs to be flexible for
> different users to choose multiple options based on their security
> preferences. I suspect most users will want a simple baseline UI along the
> lines of iMessage (or almost any other chat app) today, which is that you
> can enroll any new device instantaneously with a username/password only and
> no pairing protocol. I think if you want to design a mass-market system,
> anything involving an explicit device pairing-protocol needs to be an
> opt-in feature.

Consider also the possibility that market logic may not work out as
it never has in the past two decades since we "won" the crypto wars.
If we let people always take the decision and opt for easy solutions
humanity may never experience a secure Internet as they will always
pick a compromised solution and mass surveillance will go on, to
the detriment of democracy. Consider the possibility that the only
way to create an Internet that respects the principles of democratic
consititutions could be to put certain basic requirements of end-to-end
security into law. http://youbroketheinternet.org/legislation/ is
about that, a law proposal for obligatory encryption.

What happened to David? I was curious to read his reply to my post!


More information about the Messaging mailing list