> the key retention is the biggest issue. You need to keep your key around for a long time, probably storing copies of it.
As I get it, this one is a fundamental issue, not specific to messaging at all, but is just a secure storage problem.
You either keep a copy of the message (and need some key to decrypt it, unless you keep it unencrypted), or you throw it away. No amount of engineering can solve this.
That's what 'perfect forward security' is intended to solve. For more details please look up the Off The Record (otr) protocol overlay.
The basic idea is that any given session is authenticated temporally; when a session is completed the details for it are leaked so that anyone could forge content as having been within that session. Thus there is reasonable doubt about anything that was said/transferred having actually been said/transferred.
No. PFS is about when messages are in transit. Sure thing, it makes sense to encrypt them with ephemeral keys rather than a long-living ones.
However, that particular point I've quoted was - as I understood it - about message archives. Short-lived keys are just fundamentally incompatible with long-term storage. We either keep data, or we don't.
PFS helps for about another point raised, "if a key is broken or leaked..." (but has a trade-off, as it requires some sort of key exchange)
> However, that particular point I've quoted was - as I understood it - about message archives.
In a sense you're right, but the archive in question is the one your adversary accrued while they were intercepting your in-flight emails, which you encrypted with your static key. Any archive you have control over is sort of beside the point.
As I get it, this one is a fundamental issue, not specific to messaging at all, but is just a secure storage problem.
You either keep a copy of the message (and need some key to decrypt it, unless you keep it unencrypted), or you throw it away. No amount of engineering can solve this.