next step towards private groups

coming soon: the ability to share a decryption link to a private message. This will be a markdown link, but including the decryption key. You can reveal a message to just one person at a time, by linking just to them, or reveal it publically, by posting it in a public message.

With the merge of decrypted indexes there is a now a clear model of how indexes and encryption interact. With secret blobs there is also a pattern for including a secret-blob in a message (via a markdown link). This is what we need to start working on private groups!

The essential thing about private groups is that you can add people to them later,
i.e. by giving them the key. private groups will work a lot like @dinosaur's message identified groups proposal: there is a initial message which defines the group, then members are added to that. For private groups, the that initial message is encrypted, and contains the key for that group, and to add a member someone must give them the key to decrypt that message.

since it's immutable, you can't change the key. you can't change the key for old messages - you could change the group's key so that new group messages are not decryptable with the old key, but you can't change the old key.

@Cole I've thought about a ratchet, but a group ratchet is a lot more complicated, especially when someone might post with an out of date key. I think I'll just implement a simple version first. I think that will still be useful for large groups - were the private group is just a bit more of a fence, so you can do your own thing inside, than about preventing anything ever getting out at all costs.

Okay, I looked up how matrix does it... it uses megolm unfortunately the properties are not particularily impressive. The "ratchet" is essentially just updating the key=hash(key) (it's more complicated than that, but I don't think it changes this property). That means it has a lack of backward secrecy if you leak someone a key, they can still read all future messages. Also, if you plan to leak something, you could just save the oldest key you have... So it doesn't really gain much from all this ratcheting.

Matrix does use the heavy-duty encryption to protect content within a chat room - but it doesn't hide who is in the room!. I think the this metadata is actually somewhat more important than the content. That is one big thing ssb private messages do have - who is in the group is quite well hidden.

@martin @dominic re how others do: you might also want to check out this thread about the MLS WG and ART. There also is a new thread on the mailinglist about something called TreeKEM which I havnt checked out yet.