[e12e]

From a quick look around, it looks like the best bet on asynchronous forward secrecy that doesn't rely on a (highly) trusted server (one that eg: shares a secret with every sender and receiver, kerberos-style) is something along the lines of "The Text Secure Protocol"[1].

No reason why this couldn't be bolted on top of email (send the actual message as an attachment like with pgp/mime). It would probably create a new set of metadata (requests to the recipients "half-key" service/server (locating which could be delegated to SRV records or something similar, with domain derived from the email address) -- but I'm not aware of any other schemes for generating ephemeral keys in a reasonable manner compatible with (semi)asynchronous communications.

It does seem like "true" off-line message composition wouldn't be possible (the email client (or client service) needs to go online in order to encrypt/pack up the final message. This means that drafts/messages "in transit" would be possible to recover from the senders device in the case of eg: several mails being written on a flight w/o net access, and a search/seizure before mails could be encrypted to the receiver).

All in all, this sounds like a tricky problem... Anyone know of any recent bright ideas in the field of PFS for asynchronous messaging?

[1] https://whispersystems.org/blog/asynchronous-security/