[drdaeman]

Revoke the key, so the lost device won't be able to read the new messages. What the device already knows - it just can't be helped.

This is irrelevant to E2E or even PFS. Basically, it's about message archive security - either it's leaked (and no amount of encryption and authentication would help) or not.

E2E systems can sync message history - by mutually verifying device keys and then propagating data across such trusted links. I mean, if someone can send you a large file there is no reason one of your devices can't send a message to another your device, with a large encrypted blob of what it knows about the past. And if all devices (including possible server-kept archive private key derivation passphrase) are lost, then message history is gone.

[niij]

>And if all devices (including possible server-kept archive private key derivation passphrase) are lost, then message history is gone.

If a server can decrypt your messages, then it's not really E2E anymore, is it?

[drdaeman]

I believe E2E means that data is encrypted and decrypted on endpoints and nothing else. It doesn't imply how the keys are produced or who else knows the keys.

But I was thinking about a scheme, where the key is encrypted with a passphrase (that user's ought to remember) and kept on server. You fetch the blob, decrypt it (server can't), get the key and thus are able to decrypt the existing data (message archive).

This lowers security, but adds a significant convenience of being able to recover history if the only device is broken or lost. Which may be important for casual users.