Quote from: kmfkewm on January 02, 2013, 04:19 amThe primary thing to note is that with long term keys (the way RSA is generally used, ie: with GPG the way it is usually used) if Alice has her private key compromised, all intercepted ciphertexts ever sent to her that were encrypted with that private keys corresponding public key can be decrypted. The way that (DH / ECDH) is usually used (ie: Tor, OTR), intercepted ciphertexts become impossible to decrypt with traditional (non-quantum) computing power as soon as the private keys are erased, which happens every time a new message is sent.Fair enough, but we're talking apples and oranges here. In Torchat, two parties must be onllne at the very same time, in order to be able to carry out key negotiation. PGP has no such requirement, being originally designed to deal with email, which by definition is stored and/or forwarded. If one desires maximum anonymity, one can resort to nymservers and anonymous remailers, e.g. Mixmaster. Forward secrecy would be a great addition to PGP, although I'm given to understand that it is non-trivial to implement. In the meantime, one can periodically delete/replace the private halves of one's PGP encryption sub-keys, which will have the same effect, except that there will be a longer period of time and more traffic potentially exposed to key compromise during that period. If the replacement period is relatively short, e.g. 10 days or so, any traffic compromise would be minimal. Naturally, this would work best when two parties are communicating, as they can pass updated keys to each other. It would still be workable even for a vendor; a vendor could place an updated key on his page, and instruct his client to update the key PRIOR to sending him any messages. (Whether buyers would possess the necessary discipline to follow these instructions is another matter, however.) NC