A more efficient FramedContentTBS structure in Messsaging Layer Security (MLS)

]> A more efficient FramedContentTBS structure in Messsaging Layer Security (MLS)

rohan.ietf@gmail.com

Security Messaging Layer Security GroupContext hash FramedContent FramedContentTBS efficient signing deterministic signing Most MLS signatures are signed over the relatively large GroupContext structure. This document defines a way to safely sign using a pre-hashed version of the GroupContext structure for better efficiency. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Messaging Layer Security Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction In MLS all in-member application, commit, and proposal messages (whether sent via a PublicMessage, PrivateMessage or SemiPrivateMessage ); and all external commits contain a signature of the FramedContentTBS structure. This structure contains the full GroupContext of the group, which can store a large amount of group state. (For example, in the MIMI protocol it contains the participant list for the group, which could contain thousands of URIs.) The GroupContext only changes once per epoch, therefore it is an excellent candidate to pre-hash and cache for efficiency reasons. This document defines an a replacement for the FramedContentTBS structure that uses a pre-hashed GroupContext, and an MLS extension for safely negotiating the use of the new struct.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Mechanism This document defines the new_framed_content_tbs extension. When present in a LeafNode.capabilities.extensions list, it indicates that the client supports this extension. When present in the required_capabilities.extension_types list in GroupContext.extensions it indicates that every member of the group MUST use the new FramedContentTBS structure. The FramedContentTBS structure is replaced with the new structure below. The only change is that the GroupContext is replaced with a hash (from the group's current MLS cipher suite) of the GroupContext. ; case external: case new_member_proposal: struct{}; }; } FramedContentTBS; ]]>

Security Considerations TODO Security

IANA Considerations This document requests the addition of a new MLS Extension Type value under the heading of "Messaging Layer Security". RFC EDITOR: Please replace XXXX throughout with the RFC number assigned to this document. The new_framed_content_tbs MLS Extension Type is used inside LeafNode and GroupContext objects. In a LeafNode it indicates support the the extension. In the required_capabilities of the GroupContext it indicates the extension is being used. Value: 0x000b (suggested) Name: new_framed_content_tbs Message(s): GC,LN: This extension may appear in GroupContext and LeafNode objects Recommended: Y Reference: RFC XXXX

References Normative References The Messaging Layer Security (MLS) Protocol Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Semi-Private Messages in the Messaging Layer Security (MLS) Protocol Rohan Mahy Consulting Services This document defines a SemiPrivateMessage for the Messaging Layer Security (MLS) protocol. It allows members to share otherwise private commits and proposals with a designated list of external receivers rather than send these handshakes in a PublicMessage. More Instant Messaging Interoperability (MIMI) using HTTPS and MLS Cisco The Matrix.org Foundation C.I.C. Phoenix R&D Rohan Mahy Consulting Services The Matrix.org Foundation C.I.C. Phoenix R&D This document specifies the More Instant Messaging Interoperability (MIMI) transport protocol, which allows users of different messaging providers to interoperate in group chats (rooms), including to send and receive messages, share room policy, and add participants to and remove participants from rooms. MIMI describes messages between providers, leaving most aspects of the provider-internal client- server communication up to the provider. MIMI integrates the Messaging Layer Security (MLS) protocol to provide end-to-end security assurances, including authentication of protocol participants, confidentiality of messages exchanged within a room, and agreement on the state of the room.

Acknowledgments TODO acknowledge.