I remember K5 for being the original host of localroger and his "Metamorphosis of Prime Intellect", as well as a host of other original stories.
Tis a sad day indeed.
The user's device generates the private key, but only under the control of WhatsApp's closed-source app.
The key exchange is done through WhatsApp's server, much like message exchange. There is no revokation, though I imagine a user who loses his private key could generate and register a new one. There are no certificates except for the connection to the server.
An attacker would have to take control of WhatsApp's server, but once that is done, they could run classic MiTM attacks on all WhatsApp users.
I think I will learn a lot and have fun too.
Maybe. Maybe not.
"If truth is beauty, how come no one has their hair done in the library?" -- Lily Tomlin