> it's not like your phone is some inviolable log of what you actually sent.

In some systems, e.g. PGP, messages are digitally signed. This means when I send you a PGP mail, I'm actually providing proof - which anybody can verify - that I really sent that email.

If what you wanted the message platform for was to agree legal contracts maybe that feels like a reasonable structure. Alice sends Bob a PGP mail "I agree to X" and Bob now has a signed message proving this agreement. Bob couldn't have faked that, only Alice could have signed it.

Signal deliberately doesn't do that. Signal messages have cryptographic integrity protection (so Charlie can't send Bob a message pretending to be from Alice) but not signatures, so Bob can fake messages from Alice to Bob because Bob is a participant and so has the keys.

As a result Bob knows if the messages are fake or real, but can't prove that to anybody else. That feels much more like what you want from a platform you use to chat with people, not for making legal contracts.

Signal messages are effectively signed as part of the protocol. Signal releases data to allow your correspondent to forge that signature after they have received your message. Then you have to attempt to claim a forgery in a system specifically designed to allow such a claim.

PGP does the identity verification out of band. So you can simply not sign your message and completely eliminate the problem in the first place.

So it seems odd to suggest that PGP is inferior to what Signal does.

>This means when I send you a PGP mail, I'm actually providing proof - which anybody can verify - that I really sent that email.

PGP prevents access to signature information with the encryption. So you would need access to the private key of the person I sent the message to before you can verify my signature.

> Signal messages are effectively signed as part of the protocol

What is the word "effectively" doing in your sentence? I suggest that the word you needed is in fact just not. The messages can be authenticated but they are not signed.

> Signal releases data to allow your correspondent to forge that signature after they have received your message.

Nope. Bob always has the ability to produce forged messages apparently from Alice (or Charlie) to Bob.

What may have confused you is that Signal can eventually send Bob's expired authentication keys in cleartext. At this point any eavesdropper could make forged messages from somebody to Bob, that seem authentic to anybody except Bob (and presumably whoever didn't actually send them) but are rather old news.

> PGP does the identity verification out of band. So you can simply not sign your message and completely eliminate the problem in the first place.

In this case your message can't be authenticated, a very different scenario. Now Bob can't tell if this PGP email is really even from Alice because it lacks a signature. Perhaps useful for an anonymous tips line or something, but rarely what we want for messaging.

> PGP prevents access to signature information with the encryption. So you would need access to the private key of the person I sent the message to before you can verify my signature.

Nope. Just need the signed message. If the message was also encrypted then its recipient can decrypt it and show the decrypted but still signed message to other people as proof of what was sent, without revealing their private key.

This is very often undesirable, and yet it's the only option provided in PGP.

Signal uses a form of Diffie-Hellman to generate a common key. That exchange has to be signed. So you know that your key is common with your correspondent. Without this signature you would have no way to know where a message came from, just like in the unsigned PGP case. Without this signature you would also be subject to MITM attacks (unlike the PGP case).

>What may have confused you is that Signal can eventually send Bob's expired authentication keys in cleartext.

Is this a new feature? Originally the decision was made to only allow correspondents to forge messages, not everyone as in the case of Off The Record.

If you signed a PGP message and did not encrypt it then you specifically wanted it to be possible for everyone to verify the signature. A trusted correspondent would not decrypt and release your signed message so the only time that would happen would be if your correspondent was compromised. In the Signal case you would have to claim that your trusted correspondent forged a message from you. That wouldn't really work.

In the case of an untrusted correspondent you would not want to sign your message at all or would sign it with a non-public identity. PGP allows you do do either.

> Signal uses a form of Diffie-Hellman to generate a common key. That exchange has to be signed. Without this signature you would have no way to know where a message came from, just like in the unsigned PGP case. Without this signature you would also be subject to MITM attacks (unlike the PGP case).

In what sense do you believe X3DH is "signed" ? Is this going to be more handwaving where you treat authenticated as "signed" just because that's how you'd do it in PGP ?

The recipient of a first X3DH message does know for sure it is from the sender, because they're the only one that could have performed the steps needed without the recipient's private keys.

But if (like the recipient) you know their private keys, you can just forge messages that are entirely plausible.

Consider an initial message purportedly from Alice to Bob but let's suppose we're Bob and we're forging it. How do we go about this?

We need to do three DH calculations. First one, is Alice's long term Identity crossed with Bob's prekey. Alice would do this by knowing her Identity private key, but we know Bob's private prekey, so we use that with Alice's public long term Identity.

Second one, Alice's ephemeral crossed with Bob's long term Identity. Alice would do that using her ephemeral private key, but we know Bob's private Identity key, so we use that with any key X.

Third one, Alice's ephemeral crossed with Bob's prekey. Alice would use her ephemeral private key again, but we know Bob's private prekey, so we use that with key X again.

We now have a secret key we can use to encrypt our forged message "from Alice" and we write key X into the headers where Alice would have written her public ephemeral. Our message is indistinguishable from genuine. Only Bob (who forged it) and Alice (who knows she didn't send it) know this is a forgery and neither of them can prove it.

> In the Signal case you would have to claim that your trusted correspondent forged a message from you. That wouldn't really work.

If the Secret Police are content that you are a Blasphemer or you plotted against the Emperor or whatever without proof, nothing would "really work", regardless of the technology used or not used. That's not interesting here because we can't do anything about it. If the Star Chamber will have you executed based on hearsay, that's just as true for literal whispers as for a Signal message.

In contrast PGP provides them with unshakeable proof even though it didn't need to.

From here:

* https://signal.org/docs/specifications/x3dh/

... I understand that the prekeys are signed. I will confess that I have no deep understanding of how everything works together. Signal protocol is somewhat baroque.

The (signed) prekeys are public information about a user, although unlike their long term Identity key the prekey is replaced periodically to help ensure Forward Secrecy. The signature means Alice knows she was given Bob's real public prekey and not a fake, but she doesn't get a different prekey (or signature) than Charlie or Deborah if they ask in roughly the same time period.

A loose equivalent in the OpenPGP world would be a user's temporary encryption keys, which may change sometimes while your signing key stays unchanged. I don't know how common this practice is today, I know it was common years ago. Clearly knowing Alice's most recent temporary encryption public key, signed by Alice's signing key, would not prove a message you showed me was from Alice.

> Signal protocol is somewhat baroque.

I agree it seems more complicated in principle than OpenPGP, although I think it's hard to make that argument for the practical deployment of OpenPGP because of the complexity of delivering compatibility.

But Signal's complexity has a specific purpose. For example those three DH pairs are combined together with a KDF so that 1. Bob learns whether the message is really from Alice (assuming Bob is not the protagonist of the movie Memento and so remember if he forged the message); 2. Alice knows the message can only be received by Bob (to the extent she verified Bob's identity, which is an out-of-band problem), and 3. A fresh random Forward Secret key is used for the conversation. Three desired properties, run DH three times.

It is definitely possible that cryptographers will come along and say "Oh, we can do this in a single function" and write like fifty pages of difficult maths and one day we get a replacement for Signal with "simpler" (although like Elliptic Curve maybe not simpler to explain) cryptography than this. Definitely possible, but these moving parts all have a purpose AFAIU today.