I wasn’t sure if this one was appropriate to submit but I shared it in case others found it useful. Please feel free to flag & remove if not. I found it interesting in part because I didn’t know about the legislation, but I also thought the discussion of interoperability, or lack thereof, and its effect on business strategy fascinating, especially because I used to spend a lot of time thinking about interoperability in healthcare systems and noticed some parallels between the two. Plus, I’m curious to read more about the security implications that arise from all of this.
I may have also misread but I think it is only related to chats between individual users, not group chats at the moment.
Does anyone more knowledgeable about this have any good literature on the topic that discusses approaches, protocols, etc. when making these types of systems interoperable at the system boundary?
(Strange that a lot of usage comparisons leave out iMessage. It appears to have about 1.3B active users (i just did a quick search) putting it in a tie for 2nd place.)
PKI seems like the only significant hurdle for E2E. And since every provider manages its own user namespace, I can easily imagine some kind of query to a known endpoint where you provide someone’s ID and get back a public key. Of course that doesn’t prevent their service or yours from doing a MitM by giving you an intermediate key they control, not the one the user created, but that’s always been the flaw in this approach.
(IIRC, iMessage key-pairs are created client-side, with only the public key stored on Apple’s servers, but we’ve always had to trust that the other users’ public keys that Apple sends our devices are the real ones.)
This trust issue does get dicier once there are two messaging services involved in an interaction, one of which you don’t necessarily use or trust yourself. If I send a message from my iMessage account to your SketchyChat account, my trust in its security now depends on whether I trust SketchyChat.
Unfortunately, overcoming this trust problem is difficult and always seems to involve complicating things for end users — in-person QR code scanning, “key signing parties”, etc. PKI is an unsolved problem.