[messaging] libforwardsec: forward secure encryption for email and asynchronous messaging

[Ian Goldberg]

Ian,

Overall, a very nice scheme, and it's great you're producing
production-quality code for it!

There's still the potential issue I asked about at the end of your
Oakland talk, though: the forward secrecy only kicks in if the intended
recipient actually _receives_ the original message, which is a slightly
different property than "traditional" forward secrecy.  If the TLA
(three-letter agency) doesn't just snoop the message, but actually
intercepts (blocks) it, they can come a-knocking an arbitrary(*) time
later to the intended recipient to compel the key that will decrypt it.

(*) Up to when you _do_ decide to delete old keys, which is when you
give up on any messages that arrive late/desynchronized.

   - Ian (not that one)