| We are talking about public keys here, not signatures. >It’s TOFU, but the key rotates with each message I send. You seem to be confusing the Signal long term identities with forward secrecy. >...if I can ever send a single message to you which isn’t MITM-ed, every message sent thereafter will be secure. This isn't true. Signal verifies identities the exact same way PGP verifies identities. As with PGP if you haven't checked your "safety numbers" you can't be sure your messages are actually ending up with your correspondent. >Because your code is different for every conversation, it protects against correlation attacks. PGP normally uses a different session key for each and every message ... but that isn't really relevant for either the Signal or PGP case if we are talking about correlation. For efficiency and convenience each message is normally tagged with the encryption key fingerprint of the recipient but you can turn that off if that might be a problem in your particular application. At that point there is nothing an observer can use to determine anything about the sender or receiver. You probably meant to reference Signal's "sealed sender". It doesn't really work in practice: >https://www.ndss-symposium.org/ndss-paper/improving-signals-... |