Oddbean

I think forward and backward secrecy are unachievable in Nostr. You can either be able to load your DMs in many clients and not have any type of real forward and backward secrecy OR you can have DMs that are only visible in the originating client, and thus "broken UXs" everywhere else and then yes with forward and backward secrecy. There is no way to do both.

They can only see message history as far as the linked device allows and can't see future messages if the device unlinks. I don't know the exact details how Signal does this, but I don't think its forward and backward secrecy is broken because of the feature.

As long as you never let the ratchet state be exported from the main client, you should be fine. But that blocks people from using multiple DM clients, which is a core motivation behind Nostr. You are blocking users into your client and locking them out of others. Same data silos Twitter and Facebook gave today.

There's nothing preventing users from moving to another DM client. You can always go back to the old client or export or copy paste message histories if you need them. It's not comparable to Twitter or Facebook, because you own your identity key and can always change the client or relays. There's always a tradeoff between availability and security of messages, and maybe there are different use cases for both kinds of messaging. On Nostr, we are free to choose.

Signal started by not allowing anyone to export it. That was forward secrecy. But when they added the import/export and desktop clients, forward secrecy became irrelevant because all an attacked needs to do is to attack the import feature. They don't need to decrypt individual messages anymore. It's just way easier to attack the "seed" Also Signal is terrible because their servers know everything. It's not private at all. The server can pinpoint anyone, geolocate and uniquely identify all of a user's messages. If a protocol doesn't operate with multiple servers chosen by the user, privacy is pretty much gone. Regardless of the quality of underlying protocol.

Forward secrecy means that compromise of a long-term key doesn't reveal past messages. Signal does provide that. It's a different category of attack if someone gets access to your device and sees your chat history, or tricks you to link an untrusted device. Export is possible in any client, at the very least with screenshots or by writing the message history on a piece of paper, but that's not related to forward secrecy. Disappearing messages is the solution when you don't want your message history potentially seen by anyone later. You can use a VPN to hide your geolocation from Signal (which you should do on Nostr as well if you need privacy), but it's true that they can connect your messages to your phone number, see when and probably with whom you're chatting. Not surprised if intelligence agencies are mining that data. With Nostr we're at least over the phone number part, there's no single service that sees all traffic and there are different ways to fix the metadata issue — and do forward & backward secrecy when desired.

i've found this one of the most frustrating features in signal where you cannot really export your message history, and every time you need to re-link your computer (which expires after 30 days of non-use or so) it will start with an empty one i do understand it from a privacy point of view but still fwiw, matrix does provide message history for E2EE rooms even with new devices nostr:nevent1qvzqqqqqqypzq3svyhng9ld8sv44950j957j9vchdktj7cxumsep9mvvjthc2pjuqqsgt0zpg6tslgxjx9raff5nusuqapwj7nf5hvpvaxzh5ux3ddlmq4qjk6ldh

If Alice has two phones and Bob has one phone, and Alice's two phones have different Keychat IDs, when Alice chats with Bob, if she feels it necessary, she can create a pairwise group with her two Keychat IDs and Bob. This can achieve multi-device synchronization to a certain extent.