Skip to main content

The Messaging Layer Security (MLS) Architecture

Document Type Expired Internet-Draft (mls WG)
Authors Benjamin Beurdouche , Eric Rescorla , Emad Omara , Srinivas Inguva , Albert Kwon , Alan Duric
Last updated 2022-04-07 (Latest revision 2021-10-04)
Replaces draft-omara-mls-architecture
Stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Expired & archived
plain text html xml htmlized pdfized bibtex
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to Katriel Cohn-Gordon <>, Cas Cremers <>, Thyla van der Merwe<>, Jon Millican <>, Raphael Robert <>
This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at:


The Messaging Layer Security (MLS) protocol [MLSPROTO] document has the role of defining a Group Key Agreement, all the necessary cryptographic operations, and serialization/deserialization functions necessary to create a scalable and secure group messaging protocol. The MLS protocol is meant to protect against eavesdropping, tampering, message forgery, and provide good properties such as forward-secrecy (FS) and post-compromise security (PCS) in the case of past or future device compromises. This document, on the other hand is intended to describe a general secure group messaging infrastructure and its security goals. It provides guidance on building a group messaging system and discusses security and privacy tradeoffs offered by multiple security mechanism that are part of the MLS protocol (ie. frequency of public encryption key rotation). The document also extends the guidance to parts of the infrastructure that are not standardized by the MLS Protocol document and left to the application or the infrastructure architects to design. While the recommendations of this document are not mandatory to follow in order to interoperate at the protocol level, most will vastly influence the overall security guarantees that are achieved by the overall messaging system. This is especially true in case of active adversaries that are able to compromise clients, the delivery service or the authentication service.


Benjamin Beurdouche
Eric Rescorla
Emad Omara
Srinivas Inguva
Albert Kwon
Alan Duric

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)