Minutes interim-2020-mls-02: Wed 14:00
minutes-interim-2020-mls-02-202001291400-00

Attendees:Joel Alwen, Richard Barnes, Raphael Robert, Britta Hale, Brendan
McMillion, Nick Sullivan

#247 - Welcome confirmation and key derivation
* Fixes bugs RLB found in the last draft while implementing
* OK to merge after rebase / conflict resolution

#246 - Bugfixes in ClientInitKey, Commit, and Welcome
* Derives the Welcome encryption key instead of generating fresh
* ... under the general theory about not requiring freshness when not necessary
* OK to merge after rebase / conflict resolution

#283 - Use the same ratchet for Handshake and Application keys
* There's no point to FS for Proposals because clients have to cache the
plaintext anyway * Given that, the "flat derivation" approach should be fine *
We should have separate keys per sender to it easier to avoid nonce collisions
* RLB and RR to decide whether we should derive nonces on a hash ratchet or
just use a counter

#287 - Switch to signing strategy using one signature per leaf.
* There was agreement among those on the call to proceed with this strategy
(tree-hash-covers-parent-hash) * ... given the deniability concerns and unclear
benefit of the alternative (parent-hash-covers-tree-hash) * If further
considerations come to light from analysis, we can revisit later