[baby]

> Where TLS can provide an encrypted channel for convincing the user they are talking to the right server, Signal can convince the server it is talking to the right user - and that it is the same user that we spoke to last time.

Same thing can be done with TLS. It's called session resumption.

[jeremyw]

In a weak sense. In Signal, every single volley (in the Diffie-Hellman ratchet, at least) is testing the validity of the parties and cycling the ephemerality. Thus the newer notion of "key continuity", that is anchored all the way back to the initial, authenticating handshake. TLS has only the lesser resumptive property that the server got back what it sent some time ago, so this is probably the same thing -- but one can imagine lots of opportunity to monkey.

[baby]

The ratchet is just refreshing the ephemerality. But do we need to refresh the keys for every messages? Personally I don't think so.

[jeremyw]

One necessarily implies the other.