Ian, Overall, a very nice scheme, and it's great you're producing production-quality code for it!
There's still the potential issue I asked about at the end of your Oakland talk, though: the forward secrecy only kicks in if the intended recipient actually _receives_ the original message, which is a slightly different property than "traditional" forward secrecy. If the TLA (three-letter agency) doesn't just snoop the message, but actually intercepts (blocks) it, they can come a-knocking an arbitrary(*) time later to the intended recipient to compel the key that will decrypt it. (*) Up to when you _do_ decide to delete old keys, which is when you give up on any messages that arrive late/desynchronized. - Ian (not that one) _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
