crypto flaw in secure mail standards

Bram Cohen bram at
Fri Jun 22 17:41:58 EDT 2001

On Fri, 22 Jun 2001, Jeffrey I. Schiller wrote:

> I believe it is important that message signatures outlive the
> message's encryption layer.

Currently, if you are compromised at some point then an attacker can go
back to the mail archives and read every message you've ever sent or
received. With separate encryption keys, it would be possible to achieve
forward secrecy, so that the old messages would be unreadable to everyone,
including you.

Forward secrecy is arguably a more important property of mail to have than
authentication, and is much easier to build properly, since it doesn't get
into the issues of identity. Unfortunately, none of the current mail
standards support it at all.

In fact, forward secrecy is all that Disappearing Inc. did - does anybody
know how they're doing?

-Bram Cohen

"Markets can remain irrational longer than you can remain solvent"
                                        -- John Maynard Keynes

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list