On Thu, Aug 28, 2014 at 2:18 PM, Moxie Marlinspike <[email protected]> wrote: > So my question is, how is this better than doing the following: > > 1) Transmitting identity keys in-band. > > 2) Doing TOFU for keys seen. > > 3) Make the client notifying the user when a key changes, if the user > has a key change notification preference set. > > 4) Leaving the key change notification preference off by default. >
Suppose Google receives a subpoena to intercept encrypted email between [email protected] and [email protected] requiring Google to apply all technical capabilities available to them. Google knows with certainty if Alice and Bob have transmitted keys to each other and if they haven't yet traded keys Google can silently intercept all future encrypted messages whether notification is enabled or not. On the other hand if they have already exchanged keys, Google can just fire off interception keys to one or both sides since in the majority of cases this is also going to work according to the demographic assumptions you laid out earlier. In the rare case that the interception attempt is detected Google just shrugs it off since they've both met their legal obligation and user has been protected. --brl _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
