got it. doesn't Signal already have on-device keys with a session ratchet? why not back those keys up so one can decrypt the entire history on any device?

▲

krior 7 days ago | parent [-]

afaik the key material is regenerated for every message. new keys can be derived for every subsequent message you send, but only until you get a reply, then a new key exchange takes place. And the key material for message m1 cannot derive keys for the messages that came before m1. If the old key material gets properly deleted then there is only a very small window of compromise. backing up those keys would defeat the purpose of the ratchet.

▲

evbogue 7 days ago | parent [-]

yes, agreed, and isn't this feature re-encrypting all of the material without a ratchet or asymmetrical boxing?

	▲	elvisloops 6 days ago \| parent [-]
		Yes, it undoes all of the security features of Signal's encryption protocol.