Right now delete is an empty payload, but the server can send that for any record. We can ensure that the client issued the delete by encrypting the payload. Would it be okay to just tag the data as delete in plaintext for the server to clean, but still somehow prove that only somebody with access issued the delete? A bonus would be to avoid replay deletes too.
Created attachment 430776 [details] [diff] [review] v1
Created attachment 431449 [details] [diff] [review] v1.1
http://hg.mozilla.org/labs/weave/rev/c8d528f14dab Don't specially serialize/not encrypt delete records and store the deleted flag as part of the cleartext payload.