> 1) This is perhaps an obvious question (I've got to start somewhere, after
> all), but what is the downside of the simplest possible solution, which I
> think would be for all participants to publish a public key to some common
> key server, and then for each participant in the chat to simply re-encrypt
> the message N-1 times -- once for each participant in the chat (minus
> themselves) using each recipient's public key?
This does not work in itself, because what assurance do you have that
you are seeing the same public key as everyone else?
Yes, this does assume a central keyserver -- and I agree, it's possible that it lies to you, establishing a connection with someone other than who you requested (or even a man-in-the-middle). I don't know how to really solve that for real without some out-of-band confirmation that the public key returned by the keyserver (whether centralized or distributed) matches the public key of the person you want to talk to.
> 2) I would think the most significant problem with this ultra-simple design
> is just performance: asymmetric encryption is just too expensive in
> practice to use for every single message,
Nah, because its cost in human generated messages is absolutely
insignificant, particularly if you are using ed25519 or, better,
ristretto25519
I think you are saying that performance isn't a real world concern, but forward secrecy is? If so, that makes sense.
-david