7.6 Join/Leave Protocol flow

Each client needs a device signing key pair to join E2EE meetings: we denote the public verification key as IVK, and the secret signing key as ISK.

Once sigchain-backed identity for meetings (Section 7.11) is available, devices will directly use their signing key pairs as advertised in the user’s sigchain. Until then, each device generates a dedicated IVK/ISK pair using Sign.KeyGen on their first login. In all cases, these signing keys are securely stored as described in Section 3.7.1. If the user is joining a meeting as a guest (without logging in), this key pair is freshly generated for every meeting and never recorded in the sigchain. This prevents other participants from tracing them across meetings by noticing when a long-term key is reused. We assume each meeting is identified by its unique meetingID, as in the current system. Each meeting gets its own “bulletin board” that’s accessible to everyone who has servergated access to the meeting. The server clears it when the meeting ends. Note that meetings can be ended then later restarted, and a meeting ID can refer to a standing or repeating meeting. From a cryptographic perspective, the server is free to tamper with all values posted on the bulletin board. In Section 7.12, we describe further that a malicious server that sends stale messages from a previous meeting incarnation can at best deny service, which it can do regardless. Figure 2 describes the basic flow of a leader admitting a participant into the meeting