The article is really interesting, but I start rolling my eyes when the author jumps to the implication that this is some sort of plot to make government intrusion easier. I doubt that -- the police and litigants already have a myriad of ways to obtain and get chat transcripts admitted in court.
Perhaps this is a way to ensure message integrity when people are traversing networks that inspect TLS sessions?
Many enterprise environments, for example, use proxy servers that terminate SSL sessions at the network boundary, inspect the content, and then re-encrypt using a self-signed key. Perhaps Google has observed some malicious or obnoxious use of that technology in public or institutional wifi environments. (ie. inserting ads, filtering "naughty" words, etc)
The article implies that this is some sort of plot to make government intrusion easier. I doubt that -- the police and litigants already have a myriad of ways to obtain and get chat transcripts admitted in court.
Where do I claim Google is doing it intentionally to help government intrusion? The paragraph about law enforcement is only meant as an example of how signing can be used against you. The point there is that it doesn't even need to be Google's intention and requires no direct assistance from them.
I'm sure Google has a valid legitimate use of this data somewhere, but why it ends up in end-user XMPP clients is a mystery to me. If Google's aim is to avoid enterprise networks messing with the message, then Google should document somewhere how to verify the signature.
"If the recipient stores that message and signature, they have cryptographically verified blackmail material: they could later turn both message and signature over to law enforcement."
Perhaps this is a way to ensure message integrity when people are traversing networks that inspect TLS sessions?
Many enterprise environments, for example, use proxy servers that terminate SSL sessions at the network boundary, inspect the content, and then re-encrypt using a self-signed key. Perhaps Google has observed some malicious or obnoxious use of that technology in public or institutional wifi environments. (ie. inserting ads, filtering "naughty" words, etc)
The article implies that this is some sort of plot to make government intrusion easier. I doubt that -- the police and litigants already have a myriad of ways to obtain and get chat transcripts admitted in court.