Skip to main content

Minutes interim-2020-mls-02: Wed 14:00
minutes-interim-2020-mls-02-202001291400-01

Meeting Minutes Messaging Layer Security (mls) WG
Date and time 2020-01-29 14:00
Title Minutes interim-2020-mls-02: Wed 14:00
State Active
Other versions plain text
Last updated 2020-02-18

minutes-interim-2020-mls-02-202001291400-01
Attendees:Joel Alwen, Richard Barnes, Raphael Robert, Britta Hale, Brendan
McMillion, Nick Sullivan

# Issues / PRs

#247 - Welcome confirmation and key derivation
* Fixes bugs RLB found in the last draft while implementing
* OK to merge after rebase / conflict resolution
* Later it was discovered that this was obsolete, so it was closed.

#246 - Bugfixes in ClientInitKey, Commit, and Welcome
* Derives the Welcome encryption key instead of generating fresh
* ... under the general theory about not requiring freshness when not necessary
* OK to merge after rebase / conflict resolution
* This one too was mostly obsoleted, so it was refactored to fix one typo and
add an extension for an application-provided CIK ID.  Then merged.

#281 - Extend the epoch with a commit hash
* Thanks in part to some vigorous discussion at the interim, Richard had gotten
over my ardor for forking and closed this PR :)  He still thinks it will be
desirable to be able to have nonlinear history, but he also think it requires
some further analysis, and can be done as an extension. * As Brendan noted on
the call, #287 depends on #286 and #286, so we should probably merge those
first...

#283 - Use the same ratchet for Handshake and Application keys
* There's no point to FS for Proposals because clients have to cache the
plaintext anyway * Given that, the "flat derivation" approach should be fine *
We should have separate keys per sender to it easier to avoid nonce collisions
* RLB and RR to decide whether we should derive nonces on a hash ratchet or
just use a counter

#285 - Get rid of ignored proposals.
* Richard had added "ignored" to the Commit message to allow the Committer to
indicate Proposals that they had received, but was not committing.  Brendan
makes a plausible case in the PR that this distinction is not worthwhile, and
this cleans it up.  Please speak up now if you have a concern / objection to
merging this PR.

#286 - Editorial: Unclear that Commits always include an Update/refreshes the
CIK for the committer. Richard thinks this is ready to merge, with one minor
clarification.

#287 - Switch to signing strategy using one signature per leaf.
* There was agreement among those on the call to proceed with this strategy
(tree-hash-covers-parent-hash) * ... given the deniability concerns and unclear
benefit of the alternative (parent-hash-covers-tree-hash) * If further
considerations come to light from analysis, we can revisit later

# AOB

None.