Explain the impact of unencrypted operations. Fixes #210 (#246)

* Explain the impact of unencrypted operations. Fixes #210 Incorporate a revised version of @rohan-wire's text from Issue #210. Instead of telling people they should use encrypted messages, instead explain the consequences of doing so or not. * Update draft-ietf-mls-architecture.md Co-authored-by: rohan-wire <[email protected]> * Update draft-ietf-mls-architecture.md Co-authored-by: Richard Barnes <[email protected]> * Update draft-ietf-mls-architecture.md Co-authored-by: Richard Barnes <[email protected]> * add missing parenthesis Co-authored-by: Rohan Mahy <[email protected]> --------- Co-authored-by: rohan-wire <[email protected]> Co-authored-by: Richard Barnes <[email protected]> Co-authored-by: Sean Turner <[email protected]> Co-authored-by: Rohan Mahy <[email protected]>
mlswg · Mar 21, 2024 · 82dcf3e · 82dcf3e
1 parent c93e4a6
commit 82dcf3e
Showing 1 changed file with 16 additions and 10 deletions.
diff --git a/draft-ietf-mls-architecture.md b/draft-ietf-mls-architecture.md
@@ -907,16 +907,22 @@ application could decide that a group administrator will be the only member to
 perform add and remove operations. On the other hand, in many settings such as
 open discussion forums, joining can be allowed for anyone.
 
-The MLS protocol can, in certain modes, exchange unencrypted group operation
-messages. This flexibility is to allow services to perform access control tasks
-on behalf of the group.
-
-While the Application messages will always be encrypted, having the handshake
-messages in plaintext has privacy consequences as someone could
-collect the signatures on the handshake messages and use them for tracking.
-
-> **RECOMMENDATION:** Prefer using encrypted group operation messages to avoid
-> privacy issues related to non-encrypted signatures.
+While MLS Application messages are always encrypted,
+MLS handshake messages can be sent either encrypted (in an MLS
+PrivateMessage) or unencrypted (in an MLS PublicMessage). Applications
+may be designed such that intermediaries need to see handshake
+messages, for example to enforce policy on which commits are allowed,
+or to provide MLS ratchet tree data in a central location. If
+handshake messages are unencrypted, it is especially important that
+they be sent over a channel with strong transport encryption
+(see {{security-and-privacy-considerations}}) in order to prevent external
+attackers from monitoring the status of the group. Applications that
+use unencrypted handshake messages may take additional steps to reduce
+the amount of metadata that is exposed to the intermediary. Everything
+else being equal, using encrypted handshake messages provides stronger
+privacy properties than using unencrypted handshake messages,
+as it prevents intermediaries from learning about the structure
+of the group.
 
 If handshake messages are encrypted, any access
 control policies must be applied at the client, so the application must ensure