forward-secrecy for email? (Re: Hushmail in U.S. v. Tyler Stumbo)

Ian G iang at
Wed Nov 7 10:05:07 EST 2007

Adam Back wrote:
> On Fri, Nov 02, 2007 at 06:23:30PM +0100, Ian G wrote:
>> I was involved in one case where super-secret stuff was shared
>> through hushmail, and was also dual encrypted with non-hushmail-PGP
>> for added security.  In the end, the lawyers came in and scarfed up
>> the lot with subpoenas ... all the secrets were revealed to everyone
>> they should never have been revealed to.  We don't have a crypto
>> tool for embarrassing secrets to fade away.
> What about deleting the private key periodically?
> Like issue one pgp sub-key per month, make sure it has expiry date etc
> appropriately, and the sending client will be smart enough to not use
> expired keys.
> Need support for that kind of thing in the PGP clients.
> And hope your months key expires before the lawyers get to it.
> Companies have document retention policies for stuff like
> this... dictating that data with no current use be deleted within some
> time-period to avoid subpoenas reaching back too far.

Hi Adam,

many people have suggested that.  On paper, it looks like a 
solution to the problem, at least to us.

I think however it is going to require quite significant 
support from the user tools to do this.  That is, the user 
application is going to have to manage the sense of lifetime 
over the message.

One tool that does approach this issue at least 
superficially is Skype.  It can be configured to save chat 
messages for different periods of time, I have mine set to 
around 2 weeks currently.

But, then we run slap-bang into the problem that the *other* 
client also keeps messages.  How long are they kept for? 
I'm not told, and of course even if I was told, we can all 
imagine the limitations of that.

I hypothesise that it might be possible to use contracts to 
address this issue, at least for a civil-not-criminal scope. 
  That is, client software could arrange a contractual 
exchange between Alice and Bob where they both agree to keep 
messages for X weeks, and if not, then commitments and 
penalties might apply.  Judges will look at contracts like 
that and might rule the evidence out of court, in a civil 

OK, so we need a lawyer to work that out, and I'm definately 
whiteboarding here, I'm not sure if the solution is worth 
the effort.

Which is why I am skeptical of schemes like "delete the 
private key periodically."  Unless we solve or address the 
counterparty problem, it just isn't worth the effort to be 
totally secure on our own node.

We know how to do invisible ink in cryptography.  How do we 
do its converse, fading ink?


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list