On Sun, Jan 24, 2021 at 9:15 PM <[1]jamesd@echeque.com> wrote:

     > 1) This is perhaps an obvious question (I've got to start
     somewhere, after
     > all), but what is the downside of the simplest possible solution,
     which I
     > think would be for all participants to publish a public key to
     some common
     > key server, and then for each participant in the chat to simply
     re-encrypt
     > the message N-1 times -- once for each participant in the chat
     (minus
     > themselves) using each recipient's public key?
     This does not work in itself, because what assurance do you have
     that
     you are seeing the same public key as everyone else?

   Yes, this does assume a central keyserver -- and I agree, it's possible
   that it lies to you, establishing a connection with someone other than
   who you requested (or even a man-in-the-middle).  I don't know how to
   really solve that for real without some out-of-band confirmation that
   the public key returned by the keyserver (whether centralized or
   distributed) matches the public key of the person you want to talk to.

     > 2) I would think the most significant problem with this
     ultra-simple design
     > is just performance: asymmetric encryption is just too expensive
     in
     > practice to use for every single message,
     Nah, because its cost in human generated messages is absolutely
     insignificant, particularly if you are using ed25519 or, better,
     ristretto25519

   I think you are saying that performance isn't a real world concern, but
   forward secrecy is?  If so, that makes sense.
   -david

References

   1. mailto:jamesd@echeque.com