Add SelfRemove proposal to MLS extensions

draft-ietf-mls-extensions.md

@@ -66,6 +66,7 @@ draft-03
 
 - Add Last Resort KeyPackage extension
 - Add Safe Extensions framework
+- Add SelfRemove Proposal
 
 draft-02
 
@@ -872,6 +873,99 @@ The `media_type` MAY be zero length, in which case, the media type of the
 `application_content` is interpreted as the first MediaType specified in
 `required_media_types`.
 
+## SelfRemove Proposal
+
+The design of the MLS protocol prevents a member of
+an MLS group from removing itself immediately from the group. (To cause
+an immediate change in the group, a member must send a Commit message.
+However the sender of a Commit message knows the keying material of the
+new epoch and therefore needs to be part of the group.) Instead a member
+wishing to remove itself can send a Remove Proposal and wait for another
+member to Commit its Proposal.
+
+Unfortunately, MLS clients that join via an External Commit ignore
+pending, but otherwise valid, Remove Proposals. The member trying to remove
+itself has to monitor the group and send a new Remove Proposal in every new
+epoch until the member is removed. In a
+group with a burst of external joiners, a member connected over a
+high-latency link (or one that is merely unlucky) might have to wait
+several epochs to remove itself. A real-world situation in which this happens
+is a member trying to remove itself from a conference call as several dozen
+new participants are trying to join (often on the hour).
+
+This section describes a new `SelfRemove` Proposal extension type. It is
+designed to be included in External Commits.
+
+### Extension Description
+
+This document specifies a new MLS Proposal type called `SelfRemove`. Its syntax
+is described using the TLS Presentation Language [@!RFC8446] below (its content
+is an empty struct). It is allowed in External Commits and requires an UpdatePath.
+SelfRemove proposals are only allowed in a Commit by reference. SelfRemove
+cannot be sent as an external proposal.
+
+~~~ tls-presentation
+struct {} SelfRemove;
+
+struct {
+    ProposalType msg_type;
+    select (Proposal.msg_type) {
+        case add:                      Add;
+        case update:                   Update;
+        case remove:                   Remove;
+        case psk:                      PreSharedKey;
+        case reinit:                   ReInit;
+        case external_init:            ExternalInit;
+        case group_context_extensions: GroupContextExtensions;
+        case self_remove:              SelfRemove;
+    };
+} Proposal;
+~~~
+
+The description of behavior below only applies if all the
+members of a group support this extension in their
+capabilities; such a group is a "self-remove-capable group".
+
+An MLS client which supports this extension can send a
+SelfRemove Proposal whenever it would like to remove itself
+from a self-remove-capable group. Because the point of a
+SelfRemove Proposal is to be available to external joiners
+(which are not yet members), these proposals MUST be sent
+in an MLS PublicMessage.
+
+Whenever a member receives a SelfRemove Proposal, it includes
+it along with any other pending Propsals when sending a Commit.
+It already MUST send a Commit of pending Proposals before sending
+new application messages.
+
+When a member receives a Commit referencing one or more SelfRemove Proposals,
+it treats the proposal like a Remove Proposal, except the leaf node to remove
+is determined by looking in the Sender `leaf_index` of the original Proposal.
+The member is able to verify that the Sender was a member.
+
+Whenever a new joiner is about to join a self-remove-capable group with an
+External Commit, the new joiner MUST fetch any pending SelfRemove Proposals
+along with the GroupInfo object, and include the SelfRemove Proposals
+in its External Commit by reference. (An ExternalCommit can contain zero or
+more SelfRemove proposals). The new joiner MUST validate the SelfRemove
+Proposal before including it by reference, except that it skips the validation
+of the `membership_tag` because a non-member cannot verify membership.
+
+During validation, SelfRemove proposals are processed after Update proposals
+and before Remove proposals. If there is a pending SelfRemove proposal for a specific
+leaf node and a pending Remove proposal for the same leaf node, the Remove proposal is
+invalid. A client MUST NOT issue more than one SelfRemove proposal per epoch.
+
+The MLS Delivery Service (DS) needs to validate SelfRemove Proposals it
+receives (except that it cannot validate the `membership_tag`). If the DS
+provides a GroupInfo object to an external joiner, the DS SHOULD attach any
+SelfRemove proposals known to the DS to the GroupInfo object.
+
+As with Remove proposals, clients need to be able to receive a Commit
+message which removes them from the group via a SelfRemove. If the DS does
+not forward a Commit to a removed client, it needs to inform the removed
+client out-of-band.
+
 ## Last resort KeyPackages
 
 Type: KeyPackage extension
@@ -915,7 +1009,6 @@ it carries no additional data.
 As a result, a LastResort Extension contains the ExtensionType with an empty
 `extension_data` field.
 
-
 # IANA Considerations
 
 This document requests the addition of various new values under the heading
@@ -997,14 +1090,6 @@ no additional data.
 
 ## MLS Proposal Types
 
-### AppAck Proposal
-
-* Value: 0x0008
-* Name: app_ack
-* Recommended: Y
-* Path Required: Y
-* Reference: RFC XXXX
-
 ### Extension Proposal
 
 * Value: 0x0008
@@ -1032,6 +1117,26 @@ no additional data.
 * External Sender: Y
 * Reference: RFC XXXX
 
+### AppAck Proposal
+
+* Value: 0x000b
+* Name: app_ack
+* Recommended: Y
+* Path Required: Y
+* Reference: RFC XXXX
+
+### SelfRemove Proposal
+
+The `self_remove` MLS Proposal Type is used for a member to remove itself
+from a group more efficiently than using a `remove` proposal type, as the
+`self_remove` type is permitted in External Commits.
+
+* Value: 0x000c
+* Name: self_remove
+* Recommended: Y
+* External: N
+* Path Required: Y
+
 ## MLS Credential Types
 
 ### Extension Credential
@@ -1074,3 +1179,12 @@ could leak some private information visible in KeyPackages and inside an MLS gro
 They could be used to infer a specific implementation, platform, or even version.
 Clients should consider carefully the privacy implications in their environment of
 making a list of acceptable media types available.
+
+## SelfRemove
+
+An external recipient of a SelfRemove Proposal cannot verify the
+`membership_tag`. However, an external joiner also has no way to
+completely validate a GroupInfo object that it receives. An insider
+can prevent an External Join by providing either an invalid GroupInfo object
+or an invalid SelfRemove Proposal. The security properties of external joins
+does not change with the addition of this proposal type.