Thanks for the explanation previously. Let me put it into different terms,
which might make it clearer for others. Your scheme decouples these two things:
1. the ability to prevent decryption of messages sent in the past (that were
not received)
2. the abliity to prevent re-decryption of
Another approach with proposed scheme:
receiver can punctures decryption key regularly with known time-period. So
sender can manages PFS himself: send message with "best before" life-time
(while receiver still viable and honest of course). This can be useful in some
cases.
