I remember K5 for being the original host of localroger and his "Metamorphosis of Prime Intellect", as well as a host of other original stories.
Tis a sad day indeed.
The user's device generates the private key, but only under the control of WhatsApp's closed-source app.
The key exchange is done through WhatsApp's server, much like message exchange. There is no revokation, though I imagine a user who loses his private key could generate and register a new one. There are no certificates except for the connection to the server.
An attacker would have to take control of WhatsApp's server, but once that is done, they could run classic MiTM attacks on all WhatsApp users.
Remember: Silly is a state of Mind, Stupid is a way of Life. -- Dave Butler