incorporate review from vdh & luca

27f5c25f · Matthew Hodgson · f8abaf9e · 27f5c25f
Commit 27f5c25f authored Jun 18, 2019 by Matthew Hodgson
--- a/docs/megolm.md
+++ b/docs/megolm.md
@@ -271,12 +271,13 @@ future research.
 (also called 'future secrecy' or 'post-compromise security') is the property
 that if current private keys are compromised, an attacker cannot decrypt
 future messages in a given session.  In other words, when looking
-**backwards** into the past at a compromise, messages sent since the compromise
-will be secret.
+**backwards** in time at a compromise which has already happened, **current**
+messages are still secret.

-By itself, Megolm does not posess this property: once the key to a Megolm
-session is compromised, the attacker can decrypt any future messages sent via
-that session.
+By itself, Megolm does not possess this property: once the key to a Megolm
+session is compromised, the attacker can decrypt any message that was
+encrypted using a key derived from the compromised key or any following
+ratchet values.

 In order to mitigate this, the application should ensure that Megolm sessions
 are not used indefinitely. Instead it should periodically start a new session,
@@ -288,17 +289,17 @@ with new keys shared over a secure channel.
 ### Partial Forward Secrecy

 [Forward secrecy](https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy)
-is the property that if the current private keys are compromised, an attacker
-cannot decrypt *past* messages in a given session (unless past private keys
-are retained). 'Perfect forward secrecy' means that no past keys are retained.
-'Partial forward secrecy' means that some past key data may be retained. In
-other words, when looking **forwards** into the future at a potential
-compromise, messages sent prior to the compromise will be secret.
-
-In Megolm, each recipient maintains a record of the ratchet value which allows them to
-decrypt any messages sent in the session after the corresponding point in the
-conversation. If this value is compromised, an attacker can similarly decrypt
-those past messages.
+(also called 'perfect forward secrecy') is the property that if the current
+private keys are compromised, an attacker cannot decrypt *past* messages in
+a given session. In other words, when looking **forwards** in time towards a
+potential future compromise, **current** messages will be secret.
+
+In Megolm, each recipient maintains a record of the ratchet value which allows
+them to decrypt any messages sent in the session after the corresponding point
+in the conversation. If this value is compromised, an attacker can similarly
+decrypt past messages which were encrypted by a key derived from the
+compromised key or any following ratchet values. This gives 'partial'
+forrward secrecy.

 To mitigate this issue, the application should offer the user the option to
 discard historical conversations, by winding forward any stored ratchet values,