Internet DRAFT - draft-kiefer-mls-light
draft-kiefer-mls-light
Network Working Group F. Kiefer
Internet-Draft K. Bhargavan
Intended status: Informational Cryspen
Expires: 5 September 2024 R. L. Barnes
Cisco
J. Alwen
M. Mularczyk
AWS Wickr
4 March 2024
Light Clients for MLS
draft-kiefer-mls-light-00
Abstract
The Messaging Layer Security (MLS) protocol provides efficient
asynchronous group key establishment for large groups with up to
thousands of clients. In MLS, any member can commit a change to the
group, and consequently, all members must download, validate, and
maintain the full group state which can incur a significant
communication and computational cost, especially when joining a
group.
This document defines Light MLS, an extension that allows for "light
clients". A light client cannot commit changes to the group, and
only has partial authentication information for the other members of
the group, but is otherwise able to participate in the group. In
exchange for these limitations, a light client can participate in an
MLS group with significantly lower requirements in terms of download,
memory, and processing.
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at
https://example.com/LATEST. Status information for this document may
be found at https://datatracker.ietf.org/doc/draft-kiefer-mls-light/.
Discussion of this document takes place on the WG Working Group
mailing list (mailto:WG@example.com), which is archived at
https://example.com/WG.
Source for this draft and an issue tracker can be found at
https://github.com/USER/REPO.
Kiefer, et al. Expires 5 September 2024 [Page 1]
�
Internet-Draft Light MLS March 2024
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 5 September 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4
5. Open Questions . . . . . . . . . . . . . . . . . . . . . . . 6
6. Tree Slices . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Light MLS . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1. Verifying Group Validity . . . . . . . . . . . . . . . . 10
7.1.1. Joining as a Light Client . . . . . . . . . . . . . . 10
7.1.2. Processing a Light Commit . . . . . . . . . . . . . . 10
7.2. Light MLS Extension . . . . . . . . . . . . . . . . . . . 11
7.2.1. Light MLS LeafNode . . . . . . . . . . . . . . . . . 12
7.3. Committing with a Light Client . . . . . . . . . . . . . 12
7.3.1. Maintaining state . . . . . . . . . . . . . . . . . . 13
8. Full Members . . . . . . . . . . . . . . . . . . . . . . . . 13
Kiefer, et al. Expires 5 September 2024 [Page 2]
�
Internet-Draft Light MLS March 2024
9. Operational Considerations . . . . . . . . . . . . . . . . . 13
9.1. Delivery Service Commit Processing . . . . . . . . . . . 13
9.2. How to use Light MLS . . . . . . . . . . . . . . . . . . 14
9.3. Light Messages from the Sender . . . . . . . . . . . . . 14
10. Security Considerations . . . . . . . . . . . . . . . . . . . 14
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
11.1. MLS Wire Formats . . . . . . . . . . . . . . . . . . . . 16
11.2. MLS Extension Types . . . . . . . . . . . . . . . . . . 16
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
12.1. Normative References . . . . . . . . . . . . . . . . . . 16
12.2. Informative References . . . . . . . . . . . . . . . . . 17
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction
The Messaging Layer Security protocol [RFC9420] enables continuous
group authenticated key exchange among a group of clients. The
design of MLS implicitly requires all members to download and
maintain the full MLS tree, validate the credentials and signatures
of all members, and process full commit messages. The size of the
MLS tree is linear in the size of the group, and each commit message
can also grow to be linear in the group size. Consequently, the MLS
design results in high latency and performance bottlenecks at new
members seeking to join a large group, or processing commits in large
groups.
This document defines an extension to MLS to allow for "light
clients" -- clients that do not download, validate, or maintain the
entire ratchet tree for the group. On the one hand, this "lightness"
allows a light client to participate in the group with much
significantly lower communication and computation complexity
(logarithmic in the group size in the worst case). On the other
hand, without the full ratchet tree, the light client cannot create
Commit messages to put changes to the group into effect. Light
clients also only have authentication information for the parts of
the tree they download, not the whole group.
Kiefer, et al. Expires 5 September 2024 [Page 3]
�
Internet-Draft Light MLS March 2024
We note that this document does not change the structure of the MLS
tree, or the contents of messages sent in the course of an MLS
session. It only modifies the local state stored at light clients,
and changes how each light client downloads and checks group
messages. The only modifications required for standard clients are
related to the negotiation of an MLS extension, and additional data
they need to send with each commit. Furthermore, we note that the
changes in this document only affects the component of MLS that
manages, synchronizes, and authenticates the public group state. It
does not affect the TreeKEM key establishment or the application
message sub-protocols.
The rest of the documemt defines the behavior of light clients, and
the required modifications to standard MLS clients and the MLS
infrastructure.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Terminology
This document introduces the following new concepts
* Tree Slice: A tree slice is the direct path from a leaf node to
the root, together with the tree hashes on the co-path.
* Proof of Membership: A proof of membership for leaf A is a tree
slice that proves that leaf A is in the tree with the tree hash in
the root of the tree slice.
* Light Commit: A light commit is a commit that the server stripped
down to hold only the encrypted path secret for the receiver.
* Light client: A light client is a client that does not know the
MLS tree but only its own tree slice.
* Full client: A full client is conversely a client that is running
the full MLS protocol from [RFC9420].
4. Protocol Overview
Kiefer, et al. Expires 5 September 2024 [Page 4]
�
Internet-Draft Light MLS March 2024
Full Delivery Light Light Light
Client Service Client A Client B Client C
| | | | |
| Commit | | | |
| GroupInfo | | | |
| Welcome | | | |
+--------------->| Welcome | | |
| +------------->| | |
| | | | |
| | LightCommitB | | |
| +------------------------>| |
| | | | |
| | LightCommitC | | |
| +----------------------------------->|
| | | | |
| | TreeSliceB | | |
| +------------->| | |
| | | | |
Figure 1: Overview of Light MLS
Figure 1 illustrates the three main changes introduced by Light MLS:
1. Light clients are always added to the group with a "light"
Welcome message, i.e., one that does not include the ratchet_tree
extension.
2. The MLS Delivery Service splits each Commit message into a set of
LightCommit messages, one per light client.
3. Light clients can download "slices" of the tree to authenticate
individual other users (here, A authenticates B).
MLS groups that support light clients must use the light_clients
extension (Section 7.2) in the required capabilities. When this
extension is present in the group context, all messages, except for
application messages, MUST use public messages.
The changes are primarily on light clients. When joining a group as
a light client, the client downloads the proof of memberships for the
sender (committer) and the receiver (the light client). The sender's
proof of membership can be discarded after being checked such that
only the client's direct path and hashes on the co-path are stored.
Light clients do not process proposals that modify the structure of
the tree, in particular Add, Update, or Remove proposals.
When processing a commit, the client retrieves
Kiefer, et al. Expires 5 September 2024 [Page 5]
�
Internet-Draft Light MLS March 2024
* the light commit that contains only the path secret encrypted for
the client
* the sender's proof of membership
* the signed group info
The client MUST NOT check the signature and membership tag on the
framed content, but MUST check the sender's proof of membership, the
signed group info, and the confirmation tag.
In groups with light_clients support, committers MUST send a signed
group info with every commit.
The server MUST track the public group state together with the signed
group info, and provide endpoints for clients to retrieve light
commits and light welcomes. Further, it SHOULD provide an API to
retrieve proof of memberships for arbitrary leaves, and an API to
retrieve the full tree.
5. Open Questions
*Proposals:* In this document, we have assumed that light clients
don't need to see or validate proposals. This is clearly true for
proposals that just modify the tree, e.g., Add/Update/Remove, but
less clear for proposals such as PreSharedKey and
GroupContextExtensions, and even less clear for custom proposals. We
may want to define a way that an application could enable light
clients to verify some proposals. A light client can verify the
signature on a proposal given a tree slice for the signer, but more
mechanism might be needed to allow a light client to verify that a
proposal was actually included in a Commit.
*Slimming Down Further:* We have assumed that LeafNode and GroupInfo
messages are small enough that it's acceptable for light clients to
have to download them. However, these messages themselves can be
large, e.g., due to large extensions. It may be desireable to define
lighter variants of these structs, for example:
* Defining a variant of GroupInfo that is intended for members of
the group, who do not need to receive a copy of the GroupContext
extensions.
* Updating the tree hash algorithm for leaf nodes so that a light
client could receive and verify a subset of a leaf node (e.g. only
the signature key and credential)
Kiefer, et al. Expires 5 September 2024 [Page 6]
�
Internet-Draft Light MLS March 2024
6. Tree Slices
A light client does not download or store the whole MLS ratchet tree,
but still needs to download parts of the tree to verify the
membership and identity of specific members. For example, the client
needs to verify that it is in fact a member of the group, and that
the sender of a Welcome adding it to the group is a member.
A tree slice provides one or more leaf nodes from the tree, together
with the nodes and node hashes that are required to verify that those
leaves are included in a tree with a given tree hash. A tree slice
can thus function as a proof of membership for the members at the
included leaf nodes.
X = root
|
.-----+-----.
/ \
X #
|
.-+-.
/ \
# X
/ \
X #
0 1 2 3 4 5 6 7
Figure 2: Tree slice for leaf 2 in an 8-member tree. For nodes
with 'X', the full node is included; with '#', only the hash.
Kiefer, et al. Expires 5 September 2024 [Page 7]
�
Internet-Draft Light MLS March 2024
struct {
uint32 index;
opaque tree_hash<V>;
} Hashes;
enum {
reserved(0),
xnode(1),
hashes(2),
(255)
} XNodeType;
struct {
optional<Node> node;
uint32 index;
} XNode;
struct {
XNodeType node_type;
select (XNode.node_type) {
case xnode: XNode xnode;
case hashes: Hashes hashes;
}
} SliceNode;
struct {
SliceNode nodes<V>;
uint32 leaf_index;
uint32 n_leaves;
} TreeSlice;
Tree slices are used to prove group membership of leaves. The
tree_info in light MLS messages always contains the sender's and may
contain the receiver's tree slices to allow the receiver to check the
proof of membership.
To verify the correctness of the group on a light client, the client
checks its tree hash and parent hashes. For each direct path from a
leaf to the root that the client has (tree slices), it checks the
parent hash value on each node by using original_tree_hash of the co-
path nodes. The tree hash on the root node is computed similarly,
using the tree_hash values for all nodes where the client does not
have the full nodes.
The delivery service should allow to query TreeSlice for proof of
memberships at any point for any member in the tree.
Kiefer, et al. Expires 5 September 2024 [Page 8]
�
Internet-Draft Light MLS March 2024
7. Light MLS
Light MLS is a variant of MLS run by light clients.
For light welcomes the necessary tree information can be retrieved
from the delivery server, or provided via the tree_info GroupInfo
extension.
struct {
TreeSlice tree_info<V>;
} TreeInfo
Light commit messages are defined as a new content type for the
FramedContent. A light commit contains a GroupInfo with a
LightPathSecret extension, which contains the commit secret for the
receiving light client and the corresponding node index. In
addition, the GroupInfo contains a TreeInfo extension with the
committer's direct paths.
enum {
reserved(0),
application(1),
proposal(2),
commit(3),
light_commit(4),
(255)
} ContentType;
struct {
HPKECiphertext encrypted_path_secret;
uint32 decryption_node_index;
} LightPathSecret;
struct {
GroupInfo group_info;
} LightCommit;
Full MLS clients do not need to implement these types. The delivery
service can build these messages instead.
The committer's new leaf node is not part of the LightCommit message.
Instead, it is part of the tree_info extension in the GroupInfo.
Kiefer, et al. Expires 5 September 2024 [Page 9]
�
Internet-Draft Light MLS March 2024
7.1. Verifying Group Validity
A light client can not do all the checks that a client with the MLS
tree can do. We therefore update the checks performed on tree
modifications. Instead of verifying the MLS tree, light clients
verify that they are in a group with a certain tree hash value. In
particular the validation of commits and welcome packages are
modified compared to [RFC9420].
7.1.1. Joining as a Light Client
When a new member joins the group with a Light Welcome message
(Section 12.4.3.1. [RFC9420]) without the ratchet tree extension the
checks are updated as follows.
1. Verify the GroupInfo
1. signature
2. confirmation tag
3. tree hash
2. Verify the sender's membership (see Section 6).
3. Check the own direct path to the root (see Section 6).
4. Do _not_ verify leaves in the tree.
7.1.2. Processing a Light Commit
Because the the signature and membership tag on the FramedContent in
Light Commit messages is broken, these MUST NOT be checked by the
receiver.
Instead, the proof of membership in the tree_info is verified for the
sender.
Note that while a light client can check the parent hashes when
verifying the new group state, it can not verify all points from Sec.
7.9.2 in [RFC9420]. In particular, the check that "D is in the
resolution of C, and the intersection of P's unmerged_leaves` with
the subtree under C is equal to the resolution of C with D removed."
can not be performed because the light client can not compute the
resolution. But this property always holds on correctly generated
tree, which the light client has to trust, not knowing the MLS tree.
Kiefer, et al. Expires 5 September 2024 [Page 10]
�
Internet-Draft Light MLS March 2024
Taking the confirmed transcript hash from the GroupInfo, a light
client checks the confirmation tag. Otherwise, a Light Commit is
applied like a regular commit.
In summary, when a member receives a Light Commit message the checks
are updated as follows.
1. Verify the sender's membership (see Section 6) and leaf node (see
Section 7.3 [RFC9420]).
2. Verify the own path (see Section 6).
3. Verify the GroupInfo signature.
4. Check the tree hash in the GroupInfo matches the clients own tree
hash.
7.2. Light MLS Extension
The light_clients group context extension is used to signal that the
group supports Light MLS clients.
enum LightClientType {
reserved(0),
no_upgrade(1),
resync_upgrade(2),
self_upgrade(3),
any_upgrade(4),
(255)
}
struct {
LightClientType upgrade_policy;
} LightMlsExtension;
The extension must be present and set in the required capabilities of
a group when supporting light clients. It further defines ways light
clients may upgrade to a full client.
* no_upgrade does not allow light clients to upgrade to full MLS.
* resync_upgrade allows light clients to upgrade to full MLS by
using an external commit. The resync removes the old client from
the group and adds a new client with full MLS.
* self_upgrade allows light clients to upgrade to full MLS by
retrieving the full tree from the server. Together with the
signed group info of the current epoch the client "silently"
Kiefer, et al. Expires 5 September 2024 [Page 11]
�
Internet-Draft Light MLS March 2024
upgrades to full MLS with security equivalent to joining a new
group. The client MUST perform all checks from Section 12.4.3.1
[RFC9420].
* any_upgrade allows light clients to use either of the two upgrade
mechanisms.
7.2.1. Light MLS LeafNode
The light_client leaf node extension signals that a leaf node is a
light client. The extension is an empty struct.
struct {
} LightMlsClient;
7.3. Committing with a Light Client
A light client _cannot commit_ because it doesn't know the necessary
public keys in the tree to encrypt to. Therefore, if a light client
wants to commit, it first has to upgrade to full MLS. Because a
light client is not able to fully verify incoming proposals, it MUST
NOT commit to proposals it received while not holding a full tree. A
client that is upgrading to a full MLS tree is therefore considered
to be a new client that has no knowledge of proposals before it
joined. Note that this restriction can not be enforced. However,
since each client in [RFC9420] must check the proposals, a
misbehaving client that upgraded can only successfully commit bogus
proposals when all other clients and the delivery service agree.
The light clients extension (Section 7.2) defines the possible
upgrade paths for light clients.
In order to ensure that the tree retrieved from the server contains
the tree slice known to the client, the upgrading client MUST perform
the following checks:
* Verify that the tree hash of the tree slice and the full tree are
equivalent.
* Verify that all full nodes (XNode) in the client's state are
equivalent to the corresponding nodes in the full tree.
* Perform all checks on the tree as if joining the group with a
Welcome message (see Section 12.4.3.1. in [RFC9420]).
Note that the client already checked the signed group info.
Kiefer, et al. Expires 5 September 2024 [Page 12]
�
Internet-Draft Light MLS March 2024
To retrieve the full tree, the delivery service must provide an end
point, equivalent to the one used to retrieve the full tree for a new
member that wants to join with a commit.
7.3.1. Maintaining state
After committing, the client can decide to switch to regular MLS and
process the full tree as described in [RFC9420]. This will cause the
client's performance to degrade to the performance of regular MLS,
but allows it to commit again without the necessity to download the
full tree again.
If the client does not expect to commit regularly, only the own tree
slice should be kept after a commit.
8. Full Members
Full MLS members in groups with light clients don't need significant
changes. Any changes can always be built on top of regular MLS
clients. In particular, full MLS clients are required to send a
GroupInfo alongside every commit message to the delivery service.
Depending on the deployment, the delivery service might also ask the
client to send a ratchet tree for each commit. But the delivery
service can track the tree based on commit messages such that sending
ratchet trees with commits is not recommended.
9. Operational Considerations
The delivery service for MLS groups with light clients must provide
additional endpoints for Light Welcome and Light Commit messages. In
order to provide these endpoints the server must keep track of the
public group state.
9.1. Delivery Service Commit Processing
The delivery service processes Commits for light clients and produces
LightCommit messages for them. To do this, the server creates the
sender and receiver proof of memberships (tree_info), adds the
group_info of the current epoch, and removes all information from the
Commit struct that is not needed by the receiver. In particular,
only the required UpdatePathNode is kept from the nodes vector, and
only the HPKECiphertext the receiver can process is kept from the
encrypted_path_secret vector. For the receiver to identify the
decryption key for the ciphertext, the server adds the
decryption_node_index to the LightCommit.
Kiefer, et al. Expires 5 September 2024 [Page 13]
�
Internet-Draft Light MLS March 2024
9.2. How to use Light MLS
Bootstrapping large groups can be particularly costly in MLS. Light
MLS can be used to bootstrap large groups before lazily upgrading
light clients to full clients. This distributes the load on the
server and clients.
Light MLS may also be used on low powered devices that only
occasionally upgrade to full MLS clients to commit to the group, for
example when charging.
Light clients can decide to store the tree slices and build up a tree
over time when other members commit. But client may decide to delete
the sender paths it gets after verifying it's correctness.
9.3. Light Messages from the Sender
When the delivery service does not provide the necessary endpoints
for light messages, the committer can build and end the light commit
and welcome messages directly.
10. Security Considerations
The MLS protocol in [RFC9420] has a number of security analyses
attached. To describe the security of light MLS and how it relates
to the security of full MLS we summarize the following main high-
level guarantees of MLS as follows:
* *Membership Agreement*: If a client B has a local group state for
group G in epoch N, and it receives (and accepts) an application
message from a sender A for group G in epoch N, then A must be a
member of G in epoch N at B, and if A is honest, then A and B
agree on the full membership of the group G in epoch N.
* *Member Identity Authentication*: If a client B has a local group
state for group G in epoch N, and B believes that A is a member of
G in epoch N, and that A is linked to a user identity U, then
either the signature key of U’s credential is compromised, or A
belongs to U.
* *Group Key Secrecy*: If B has a local group state for group G in
epoch N with group key K (init secret), then K can only be known
to members of G in epoch N. That is, if the attacker knows K,
then one of the signature or decryption keys corresponding to one
of the leaves of the tree stored at B for G in epoch N must be
compromised. To obtain these properties, each member in MLS
verifies a number of signatures and MACs, and seeks to preserve
the TreeKEM Tree Invariants:
Kiefer, et al. Expires 5 September 2024 [Page 14]
�
Internet-Draft Light MLS March 2024
* *Public Key Tree Invariant*: At each node of the tree at a member
B, the public key, if set, was set by one of the members currently
underneath that node
* *Path Secret Invariant*: At each node, the path secret stored at a
member B, if set, was created by one of the members currently
underneath that node
As a corollary of Group Key Secrecy, we also obtain authentication
and confidentiality guarantees for application messages sent and
received within a group.
To verify the security guarantees provided by light members, a new
security analysis is needed. We have analyzed the security of the
protocol using two verification tools ProVerif and F*. The security
analysis, and design of the security mechanisms, are inspired by work
from Alwen et al. [AHKM22].
Light MLS preserves the invariants above and thereby all the security
goals of MLS continue to hold at full members. However, a light
member may not know the identities of all other members in the group,
and it may only discover these identities on-demand. Consequently,
the Member Identity Authentication guarantee is weaker on light
clients. Furthermore, since light members do not store the MLS tree,
membership agreement only holds for the hash of the MLS tree:
* *Light Membership Agreement*: If a light client B has a local
group state for group G in epoch N, and it receives (and accepts)
an application message from a sender A for group G in epoch N,
then A must be a member of G in epoch N at B, and if A is honest,
then A and B agree on the GroupContext of the group G in epoch N.
* *Light Member Identity Authentication*: If a light client B has a
local group state for group G in epoch N, and B has verified A’s
membership proof in G, and A is linked to a user identity U, then
either the signature key of U’s credential is compromised, or A
belongs to U.
* *Light Group Key Secrecy*: If a light client B has a local group
state for group G in epoch N with group key K (init secret), and
if the tree hash at B corresponds to a full tree, then K can only
be known to members at the leaves of this tree. That is, if the
attacker knows K, then the signature or decryption keys at one of
the leaves must have been compromised.
Kiefer, et al. Expires 5 September 2024 [Page 15]
�
Internet-Draft Light MLS March 2024
Another technical caveat is that since light members do not have the
full tree, they cannot validate the uniqueness of all HPKE and
signature keys in the tree, as required by RFC MLS. The exact
security implications of removing this uniqueness check is not clear
but is not expected to be significant.
11. IANA Considerations
This document defines two new message types for MLS Wire Formats, and
a new MLS Extension Type
11.1. MLS Wire Formats
+========+===================+===+===============+
| Value | Name | R | Ref |
+========+===================+===+===============+
| 0x0006 | mls_light_welcome | - | This Document |
+--------+-------------------+---+---------------+
| 0x0007 | mls_light_commit | - | This Document |
+--------+-------------------+---+---------------+
Table 1: MLS Wire Formats Registry
11.2. MLS Extension Types
+========+===============+============+===+===============+
| Value | Name | Message(s) | R | Ref |
+========+===============+============+===+===============+
| 0x0006 | light_clients | GC | - | This Document |
+--------+---------------+------------+---+---------------+
Table 2: MLS Extension Types Registry
12. References
12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
Kiefer, et al. Expires 5 September 2024 [Page 16]
�
Internet-Draft Light MLS March 2024
[RFC9420] Barnes, R., Beurdouche, B., Robert, R., Millican, J.,
Omara, E., and K. Cohn-Gordon, "The Messaging Layer
Security (MLS) Protocol", RFC 9420, DOI 10.17487/RFC9420,
July 2023, <https://www.rfc-editor.org/rfc/rfc9420>.
12.2. Informative References
[AHKM22] Alwen, J., Hartmann, D., Kiltz, E., and M. Mularczyk,
"Server-Aided Continuous Group Key Agreement", ACM,
Proceedings of the 2022 ACM SIGSAC Conference on Computer
and Communications Security, DOI 10.1145/3548606.3560632,
November 2022, <https://doi.org/10.1145/3548606.3560632>.
Acknowledgments
TODO acknowledge.
Authors' Addresses
Franziskus Kiefer
Cryspen
Email: franziskuskiefer@gmail.com
Karthikeyan Bhargavan
Cryspen
Email: karthik.bhargavan@gmail.com
Richard L. Barnes
Cisco
Email: rlb@ipv.sx
Joël Alwen
AWS Wickr
Email: alwenjo@amazon.com
Marta Mularczyk
AWS Wickr
Email: mulmarta@amazon.ch
Kiefer, et al. Expires 5 September 2024 [Page 17]
