Meeting notes MLS WG interim Dec. 8 2022

• Sean and Richard update everyone on where we are on the Roadmap
• There has been a lot of activity on GitHub due to the AD review
• We might get into IETF last call before the end of the year

PR #751/#752: remove unmerged_leaves, add last_update epoch in leaves

• Richard proposes closing the PRs and instead including them in an
  extension
• Theophile still likes the changes included in the PRs, but is ok
  with closing them
• Britta asks if the DS wouldn't collect that information anyway
• Raphael notes that we might store timestamps indicating when a
  client has last performed an update so that stale clients can be
  removed
• In his opinion, the biggest risk is that the metadata points to old
  clients that represent particularly juicy targets for compromise
• Rohan says that they probably won't store this metadata, because
  they collect other, more useful metadata anyway
• Richard notes that Webex is not storing that data
• @Richard will close the PRs

PR #752: When adding new members, clients can send as many Welcome
messages as they want

• If the Welcome messages include the trees, they can get large fast
• Huberts notes that groups with thousands of members lead to Welcome
  messages with hundreds of KB
• Richard notes that you can track Hubert's work here:
  http://arewemlsyet.com/
• The overhead grows with the size of the HPKE public keys, e.g. when
  using a PQ KEM
• There are no objections. @Richard will merge.

PR #755: Basic credentials no longer exist in the spec as a struct and
should be removed entirely

• Basic credential doesn't contain a reference to the signature public
  key, which might be problematic
• Richard filed an issue and Konrad will take a look at it

PR #757: External join in the first epoch doesn't work

• Marta notes that there is currently some ambiguity regarding the
  creation of GroupInfo in the first group epoch
• Marte changes her proposal so that the interim transcript hash is
  the empty confirmed transcript hash and the confirmation tag over an
  empty transcript
• After that change Richard will review the PR and merge

PR #820: Nits from AD review

• The only change of note is how the NIST curve PKs are described
• No objections to the proposed change (a pointer to RFC8446)
• Richard will merge

PR #821: Make the ProtocolVersion enum two bytes long

• Raphael notes that variants of MLS might crop up that can each get
  their own ProtocolVersion
• Richard: An alternative to extending the ProtocolVersion (or
  WireFormat) enum would be to enter them into IANA
• Richard: Proposed solution: Make ProtocolVersion and WireFormat two
  bytes and enter ProtocolVersion into IANA
• Richard will create a PR

PR #822: Make more code points available

• Agreed upon and merged

PR #824: Expiring credentials

• Due to asynchronicity, credentials can expire before new joiners
  come online
• Richard proposes a soft, per-application requirement and some
  guidance in the protocol spec
• Marta notes that receiving of invalid credentials is not yet covered
  by the PR. It should be recommended to PRs to validate based on when
  the commit was sent not when it was received. It would be up to the
  application to judge the timing.
• Britta notes that "invalid" and "invalid due to timing issues"
  should be clearly distinguished
• A "catch-up mode" might help scope validation of credentials

• Richard will merge and propose a follow-up PR that solves the issues
  discussed

• Sean asks everyone to read and review PRs for the architecture
  document

• None of the authors is present, so we won't merge any PRs today

PR #117 (architecture doc) Operational requirements

• Everyone seems to be okay to merge.

• Brendan asks if Basic credentials are intended to be used in
  production

• Discussion on Basic credentials is postponed to the next interim