I disagree; if you are sending to participants instead of devices, you don't really have e2e. Any private key should never leave any device. If the user want to use several devices, his client should enroll multiple keys for him and the message should be decryptable by each of these keys. Also, the user should have visibility into which keys can decrypt the message, to avoid enrolling any keys behind his back.
That the user won't see on his device any messages sent before enrolling the new key? That's the point. Otherwise, the user should use the normal/non-e2e messages.
Thus, the key distribution as it is "solved" is being lax with them.
That the user won't see on his device any messages sent before enrolling the new key? That's the point. Otherwise, the user should use the normal/non-e2e messages.
Thus, the key distribution as it is "solved" is being lax with them.