Threat model
- No user but the owner can construct a valid ACL version
- The server is an active adversary and can attempt to modify the ACL in an attempt to create new versions
- Server will fail modifying the content key due to inability to sign as the owner
- TODO: Server can collude w/ users (past or present ACL members), what can he do?
- The server should not be able to construct new versions of an ACL by mixing old version of that ACL together
- TODO: Does AE + signature give us that? Probably not, so we have Merkle trees overlayed
- The users on the ACL are trusted not to leak the content key (past versions or current versions)
- Users that are or have been on the ACL (other than the owner) should not be able to forge new ACL entries for other users.
- TODO: Does AE + signature gives us that? Or is signature sufficient?