I don't want forward secrecy for everything, but I would love to be able to opt in.

Yes, it would just fit much better to have that as an on-the-side ephemeral chat protocol, instead of on the log.

Hmm, instead of arguing the merits of various cryptographic properties, it may be more productive to focus on discussing how those properties are created.

I have a feeling that either way, it comes down to "key state" - ratcheting is maybe has some ideas

That make also provide an in for discussing how you'd create forward secure groups.

One idea that might appeal to you @johnny is secrets embedded in larger files, needs to be noisy, like images or music. Then your like, oh nothing just uploading some pictures of the food I am eating!

But people already use it that way.

you mean people are using direct messages for things that would better be forward secure?

I think one thing here, is given that on-the-side chat doesn't exist yet, then we have to use direct messages for things like that, but if it did and it was more convienient then I bet people would use it.

@keks the phrase "I want to send a burn-after-reading message to a friend" got me thinking. How do you feel about having being able to make a specific message "burn-after-reading"? the recipient would see it, and then click "burn" which would then post a message acknowledging that burn, and sending a new curve25519 key.

Or send multiple single-use keys? so that you can send a few messages before they are burnt.

This would be a feature inside a regular DM.

Is this what you ment by "orthagonal feature"?

Hmm, what if you made the user experience explicit? you'd have to send someone a self-destructing envelope, then they could send you a burn-after reading message?

I suggest this because, firstly, it's necessary for us to both contribute a curve25519 key (and agree to forget the private half) so I need to send you something first anyway (so make that an "Invite")

And secondly, there is a balance of trust between sharers of intimate secrets. I don't want anyone to get unsolicited off-the-record threats. Inviting you to send me something off-the-record is an expression of trust, and you've gotta trust me that I'm not gonna repeat it.

(because even if there isn't any cryptographic evidence - if it can be corroborate, then it's still leakable)