[maqp]

PGP lacks forward secrecy. E.g. the Iranian government can collect every PGP-message you ever send, and if and when they compromise your private key, they can retrospectively

a) decrypt your entire message history, even if you've deleted it from your endpoint

b) prove that you're the author of every message, because only your private key can be used to craft the digital signatures.

Signal solves both problems. For dissidents' communication, PGP is hard to use and incredibly dangerous even when used correctly. It needs to be killed with fire and buried next to nuclear waste in a container made of Beskar or something.

[upofadown]

>decrypt your entire message history, even if you've deleted it from your endpoint

But how many people actually delete their old messages? If they don't then forward secrecy doesn't help. They get your messages when they get you key material.

Encrypted instant messaging is inherently less secure than something that can be performed offline like encrypted email because the key information is exposed all the time. So it is much less likely that you will have your key information exposed in the first place with encrypted email. An instant messenger on a phone can normally be defeated simply by grabbing your unlocked phone from your hand and scrolling though your old messages.

>prove that you're the author of every message, because only your private key can be used to craft the digital signatures.

A private key that in the case of, say, PGP does not have to be associated with any particular identity at all. Also, PGP offers actual deniability by simply not signing the message in the first place while, say, Signal only offers a particularly weak version of forgeability[1] which is problematic in general.

[1] https://articles.59.ca/doku.php?id=pgpfan:repudiability#forg... (see Forgeablity Light)

[kelnos]

> But how many people actually delete their old messages?

I don't know, because I'm not in this position, but I would really really hope that someone who is having conversations that could get them killed or thrown in jail by an oppressive government would be using disappearing messages, or at least setting things up so messages are auto-deleted after some fairly short amount of time.

> A private key that in the case of, say, PGP does not have to be associated with any particular identity at all.

No, but presumably you will have possession of that private key. If you realize that the authorities are closing in on you, you can destroy your copy of the key, but if you're caught unexpectedly, they can tie your possession of the key to the messages.

[upofadown]

Your private encryption key only can be used to decrypt the messages sent to you. Anyone with your public key can create a message to you. Without the signature there is actually no cryptographic proof that you created a particular message.

The really interesting thing about the PGP case is that you can do this and still insure that no one does a MITM attack on your messages. The encryption key is signed by the signature key (identity). So you can verify the identity but still leave no identity laying around.

[h_anna_h]

You do not have to sign anything when you use PGP for encryption.