forward-secrecy for email? (Re: Hushmail in U.S. v. Tyler Stumbo)

James A. Donald jamesd at
Wed Nov 7 05:33:36 EST 2007

an G wrote:
 >> I was involved in one case where super-secret stuff
 >> was shared through hushmail, and was also dual
 >> encrypted with non-hushmail-PGP for added security.
 >> In the end, the lawyers came in and scarfed up the
 >> lot with subpoenas ... all the secrets were revealed
 >> to everyone they should never have been revealed to.
 >> We don't have a crypto tool for embarrassing secrets
 >> to fade away.

Adam Back wrote:
 > What about deleting the private key periodically?

Mail should have the following security properties:

Mail that appears to come from an entity really did come
from that entity.

Though the recipient can prove to himself the mail came
from that sender, he cannot prove it to third parties
unless the sender cooperates.

If the sender and the recipient discard their copies,
that mail is gone forever.  No one can reconstruct it,
even though they have a complete record of the bits
passed between the sender and recipient and complete
access at a later date to the machines of the sender and
recipient and the complete cooperation, possibly under
extreme duress, of both sender and recipient.

If the sender or the recipient keep a copy that they can
access, then the guys with rubber hoses can shake it out
of them, but they can only see this stuff with the
cooperation, possibly under duress, of the sender or the
recipient - and they only have the sender or the
recipients word that this is the real stuff.  If the
recipient deleted his stuff, and the guys with rubber
hoses look at the sender's sent box, they cannot know it
is the original and unmodified sent box, and vice versa
for the recipient's in box.

We have the technology to accomplish all this, but not
with the present store and forward architecture.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list