> A final, and salient feature on the key distribution approach is that it allows only prospective eavesdropping -- that is, law enforcement must first target a particular user, and only then can they eavesdrop on her connections. There's no way to look backwards in time.
Actually, its even weaker of an attack than that. Signal (for example) stores a copy of the keys locally on the other person's device after a conversation has been initiated (and notifies users if they've changed). You could augment this with TUF or some other updating system to make additions of new devices (or removal of old ones) also secure. So really the distribution attack only works for first connection. And this is why PGP key signing parties are a thing (and why I ask for two forms of government ID before signing their keys).
What if the government sends someone with fake IDs to your key signing party? Not sure if this actually happens, but they're the ones who are issuing all those government IDs in the first place so why not?
This is a world where some guy can claim to be Satoshi Nakamoto and fool a bunch of Bitcoin experts in an offline demonstration. What chance would we stand against a real-life Jason Bourne?
That's not what I said. Signal stores the key that you've already verified. So changing the key in the keyserver doesn't do anything to a device, since you haven't verified the new key from the keyserver (and it shows a warning).
Actually, its even weaker of an attack than that. Signal (for example) stores a copy of the keys locally on the other person's device after a conversation has been initiated (and notifies users if they've changed). You could augment this with TUF or some other updating system to make additions of new devices (or removal of old ones) also secure. So really the distribution attack only works for first connection. And this is why PGP key signing parties are a thing (and why I ask for two forms of government ID before signing their keys).