* everyone Everyone should explicit-ack this message ASAP** this This message should contain the next-sender-key, to be used after u leaves, encrypted to everyone except u. (Hopefully this addresses the concern Joe brought upThis ensures old members can't read new messages even if they eavesdrop.)** (We could probably do something similar for group keys.)* when When this message is fully-acked, u gains consistency for all previous messages up to m, and may leave.** other Other messages should be probably be discarded, - u won't have a chance to verify their consistency.

When a member u accepts a non-explicit-ack message m at time t:

The above checks should be applied for every single message. This guarantees that a warning shows up if we don't reach consistency within the timeout defined above, ensuring timelinessand works even if people don't manually send messages.

In terms of overhead, effectively If we set ACK_GRACE_INTERVAL high enough to match the typical interval between a user will send a message at least every ACK_GRACE_INTERVAL time period's messages, whilst then (in theory) the session has other people overhead is only incurred once everyone stops talkingand we automatically send off one extra round of acks. When there is a While the lull in the conversationactivity continues, there should will be no further extra messages. I'm confident , since we can tweak the parameters so servers don't see too much extra load, but have not tried require explicit-acks to model be fully-acked themselves. (Preliminary experiments on some code I wrote shows this preciselyto be effective.)