You are correct, but you omitted one complication: Clients trust Google's and Apple's servers to faithfully exchange the participants' public keys.

▲

pcl 5 hours ago | parent | next [-]

Apps (such as Signal) that care about end-to-end encryption do their own key management. So, Apple / Google servers only ever see ciphertext, and don't have access to the key material that's used for the encryption.

▲

toast0 4 hours ago | parent [-]

Afaik, e2e messengers don't include ciphertext with push notifications. It's an empty push to wake the client. Then the client contacts the origin to fetch the ciphertext.

	▲	saagarjha 4 hours ago \| parent [-]
		This is how it used to work; notifications can be encrypted now and Signal uses an extension to decrypt them.

▲

xmx98 5 hours ago | parent | prev | next [-]

Sending public keys through the notification system is an unnecessary complication.

▲

soamv 5 hours ago | parent | prev | next [-]

Which clients?

▲

ls612 5 hours ago | parent | prev | next [-]

Isn’t that what Contact Key Verification solves? Or do I misunderstand how that works?

▲

qurren 5 hours ago | parent | prev [-]

... and hold participants' private keys truly private, which you cannot verify without a rooted phone.