Thanks for explaining, that makes much more sense.
It seems to me that double ratchet is really to blame here. Without it, you could simply share a single key across all devices. With it, your choice is to either deal with this sort of complexity or to set up a trusted proxy in the middle.
It's a bit strange actually. There's this constant mantra of having to pick either security or usability. We now have readily available means for usable _and_ reasonably secure E2E, but the crypto nuts go and add additional "must haves" that once again make it difficult for the average person to use.
An aside: Instead of authenticating with a central server to add a key (as you've described Wire doing), why not handle this client side via X.509 certificate chains? This is very mature crypto and seems far more flexible. It would enable use of standard PKI token hardware for managing your root identity, allow fully offline enrollment of new devices, and provide cross signing for various purposes (changing your root identity, setting up a web of trust with a group, integrating with a corporate environment, etc).
It seems to me that double ratchet is really to blame here. Without it, you could simply share a single key across all devices. With it, your choice is to either deal with this sort of complexity or to set up a trusted proxy in the middle.
It's a bit strange actually. There's this constant mantra of having to pick either security or usability. We now have readily available means for usable _and_ reasonably secure E2E, but the crypto nuts go and add additional "must haves" that once again make it difficult for the average person to use.
An aside: Instead of authenticating with a central server to add a key (as you've described Wire doing), why not handle this client side via X.509 certificate chains? This is very mature crypto and seems far more flexible. It would enable use of standard PKI token hardware for managing your root identity, allow fully offline enrollment of new devices, and provide cross signing for various purposes (changing your root identity, setting up a web of trust with a group, integrating with a corporate environment, etc).