@keks great minds think alike! I was am considering both those possibilities. kdf(key, type) would protect one-way groups, but not two way groups.

If instead it's kdf(key, create_msg) that could work.

But that adds state to the crypto, which can be good (eg in ratchet - and in ssb, a signature is only valid in a precise context in each log)

The other side of the coin, is how do you add people to groups?

Obviously you need to at some level, send them the key for that group. Actually I think the best verb is "entrust" them the key. Because you can't cryptographically prevent them from "sharing" (aka "leaking") it again. even if forward secure, you can't prevent them screenshotting you etc. you can't avoid needing to trust your partners... (remember goal is that abuses of trust be obvious, so it's not easy to abuse trust and get away without being noticed)

I'll add ratchet to the list, but read it specifically thinking about groups of recipients.

@keks forward secure has been done ;) I want flexible groups. Maybe there is a way to do that forwardly secure, but for now, I'm gonna focus on flexibility.