Our base case is indeed symmetric for each message (the key distribution is over Elliptic Curve Diffie Hellman Ephemeral).
The number one reason why we allow for symmetric message keys is to allow you to send an encrypted message to anyone, even if they don't have public keys somewhere. Distributing and using private/public keys in a trusted AND easy to use way is a problem we're currently working to solve, and will add as soon as we get that done in a way that doesn't make our software so hard to use that people stop using it.
Will Ackerly of Virtru here. I appreciate the sentiment, as my comfort level is much higher when working with open software.
We're being as aggressive as we can be about getting code up to snuff for open release, and in the mean time if you are interested in checking out our source, please ping me at will@virtru.com. We're working with a few folks in the community and looking for others to help get these out there as soon as possible, particularly or latest release, our android client, which is built on K-9 and we think belongs back in the open community it was built upon.
In the mean time we are wrapping up work on an initial release of our TDF.js code, on the heels of an audit from iSec partners of our broader browser extension code. We believe that when it is released it really ought to come with good docs and Getting Started tutorials. We are supporting a very large number of platforms with a small team and we're trying hard to prioritize right.
That is one reason why the underlying tech we're using, particularly the TDF, is designed to allow you to use any key server you want. Our hope is that we're the first of many TDF key servers out there, and are working to open source a key server under Apache license so anyone can use and contribute. If you're interested in helping make that possible or know people who might be, let us know.
Open Source Key Server - For those of you interested in hosting your own key server (ACM) or helping to make a free and open source key server a reality, we're looking for people to help us. Contact me if you're interested.
Hi, it's Will Ackerly here. We've thought a lot about the National Security Letter scenario, and so, we're going to be pushing to our website a Canary (in the coal mine) icon, linking to a statement declaring that we have never received an NSL. Our special counsel on privacy (Tim Edgar, who used to work at ACLU) came up with the idea for us, which I believe Apple is using through regular reports (not a literal canary icon on their website).
I've actually found it kind of surprising that they haven't had any warrants yet.
But you're going to be served with an NSL if you get big enough to be interesting. It seems to happen to everyone. An then you won't be able to update the canary any more. That's a good idea, but I don't think it is enough.
I don't mean to be negative, I just guess I don't see why you'll succeed against the government when the others have not.
Great points, definitely not negative, just realistic.
There may be no single silver bullet here. In addition to pursuing open source key servers, we're also working on UI/UX for easy addition of public key wrapping using the same crypto as PGP. Our hope is that we can deploy public key in a way that most people start using it to minimize the proportion of unwrapped keys on Virtru's server.
The number one reason why we allow for symmetric message keys is to allow you to send an encrypted message to anyone, even if they don't have public keys somewhere. Distributing and using private/public keys in a trusted AND easy to use way is a problem we're currently working to solve, and will add as soon as we get that done in a way that doesn't make our software so hard to use that people stop using it.