Early Review of draft-ietf-mls-architecture-09
review-ietf-mls-architecture-09-secdir-early-nir-2022-10-08-00

The document describes the Message Layer Security (MLS) architecture, and
includes a very thorough and comprehensive analysis of the security and privacy
issues in section 7, including recommendations. Considering the length and the
breadth, it is not surprising that I cannot find anything missing.

A few nits:

The document uses terms that are not defined within the document:
* "MLSCiphertext" appears in section 7.1.1 without having been defined earlier.
That's probably acceptable because it is defined in the protocol document which
is a normative reference. Still, such terms are commonly redefined. *
"Anonymous credentials" are mentioned without having been defined in either
this document or in the protocol document. It *is* a term that is used
occasionally, but AFAICT the only IETF document that defines it is RFC 4949,
which is (a) not referenced here, and (b) defines it as a USG term, and (c)
says that Internet drafts "SHOULD NOT use this term"

Section 7.2.3 defines "deniability" and then says that "MLS does not make any
claims with regard to deniability". So why do we need that paragraph?

The document includes three instances of the adverb "extremely" and five of the
adverb "very", all in section 7, and I don't think they are necessary. Better
yet, some of them could be replaced with actual measures. For example, "MLS
avoids needing to send the full list of recipients ... because that list is
potentially extremely large in MLS." How large? 5? 1000? A billion?  In other
cases, "...clients have the extremely important role of deleting appropriate
keys..." just sounds like a new formulation of SHOULD. I don't think those
adverbs are necessary. Interestingly, the protocol document has only one
instance of "very" and it is expanded to a measure: "The use of variable-size
integers for vector lengths allows vectors to grow very large, up to 2^30
bytes."