]> Rohan Mahy Consulting Services

rohan.ietf@gmail.com

Security Messaging Layer Security MLS credential SD-CWT SD-KBT SD-JWT key binding selective disclosure The Messaging Layer Security (MLS) protocol contains Credentials used to authenticate an MLS client with a signature key pair. Selective Disclosure CBOR Web Tokens (SD-CWT) and Selective Disclosure JSON Web Tokens (SD-JWT) define token formats where the holder can selectively reveal claims about itself with strong integrity protection and cryptographic binding to the holder's key. This document defines MLS credentials for both these token types. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Messaging Layer Security Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction This document defines new MLS credential types for SD-CWT and SD-JWT tokens respectively. The SD-CWT Credential contains a Selective Disclosure Key Binding Token (SD-KBT). The SD-JWT Credential contains SD-JWT with Key Binding (SD-JWT+KB), which could be represented in the traditional data format, or in a more compact binary encoding. The "holder" of one of these tokens could be the MLS client including the token in its Credential in its LeafNode (in a group or in a KeyPackage) or in an ExternalSender structure.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The term Credential is used as defined in . The terms MLS Distribution Service (DS) and MLS Authentication Service (AS) are used as defined in . The terms MLS client, MLS group, LeafNode, KeyPackage, PublicMessage, PrivateMessage, ratchet tree, and GroupInfo are likewise common MLS terms defined in .

New MLS Credential types This document extends the list of defined CredentialTypes in MLS to include sd_cwt and sd_jwt types. Additional syntax and semantics are defined in the following subsections. ; case x509: Certificate certificates; ... case sd_cwt: opaque sd_kbt; case sd_jwt: SdJwt sd_jwt; }; } Credential; ]]> The MLS architecture describes the Authentication Services as having the following three services (i.e. requirements):

1. Issue credentials to clients that attest to bindings between identities and signature key pairs
2. Enable a client to verify that a credential presented by another client is valid with respect to a reference identifier
3. Enable a group member to verify that a credential represents the same client as another credential

The consequence of this is that the consumer of the SD-CWT or SD-JWT needs to be able to determine both the MLS client and the application identity referred to in a token in a Credential.

MLS SD-CWT Credential An MLS SD-CWT Credential contains a single SD-KBT, containing an SD-CWT in the KBT protected header. The SD-CWT contains zero of more disclosures (in the sd_claims header field). Any party that can view the credential can read the disclosed claims. For example if LeafNodes are visible to the MLS DS, because MLS handshake messages are conveyed in PublicMessage, the disclosed claims would also be visible to the DS. The SD-CWT inside the credential MAY include zero or more encrypted disclosures (in the sd_encrypted_claims header field). Each encrypted disclosure is separately AEAD encrypted with a per-disclosure unique ephemeral key and salt. The per-disclosure encryption key allows the holder/MLS client to disclose an element to a specific subset of members, or (in the common case when the DS is privy to the ratchet tree) only to members of the group. A proof of concept to decrypt encrypted disclosures only for members of the group is described in . The audience in the SD-KBT is either a representation of the MLS group, or a higher-level application structure associated with an MLS group or tightly-coupled collection of groups (for example, a chat room which maintains one MLS group for the main discussion and another for moderators to discuss the moderation of the room) such that being in one group without the collection would be nonsensical. The subject in the SD-CWT represents a specific MLS client (for example a COSE key thumbprint, or a client ID URI). It should not use an identifier which represents multiple signature key pairs of the same type, or represents the same "user" on multiple devices.

MLS SD-JWT Credential The SD-JWT Credential can be represented in the classic SD-JWT+KB data format defined in (shown below), or in a more compact binary representation. MLS SD-JWT Credentials MUST include the Key Binding.

• TODO: Discuss if the LeafNode signature over the Credential is sufficient

The classic format uses only characters from the unpadded base64url character set (Section 5 of ) plus the period (.) character to separate the three parts of the Issuer-signed JWT, and the tilde (~) character to separate disclosures from the other components.

SD-JWT+KB in classic format ~~~...~~ ]]>

This document also defines a "compacted" format where each of the components of the Issuer-signed JWT, every Disclosure, and the KB-JWT are base64url decoded and stored in individual fields in the SdJwt struct. ; opaque payload; opaque signature; SdJwtDisclosure disclosures; opaque sd_jwt_key_binding; case false: opaque sd_jwt_kb; }; } SdJwt; enum { false(0), true(1) } Bool; ]]>

• The compacted variant allows implementations to tradeoff reduced size for the extra processing cost of base64url encoding and decoding the Credential.

Security Considerations The privacy considerations in SD-CWT, SD-JWT, and MLS apply. TODO more security.

Privacy Considerations The privacy considerations in SD-CWT and SD-JWT apply. The privacy considerations of MLS are largely discussed in . TODO more privacy.

IANA Considerations This document requests IANA to add the following entries to the MLS Credential Types registry. Please replace RFCXXXX with the RFC of this document.

SD-CWT Credential

• Value: 0x0005 (suggested)
• Name: sd_cwt
• Recommended: Y
• Reference: RFCXXXX

SD-JWT Credential

• Value: 0x0006 (suggested)
• Name: sd_jwt
• Recommended: Y
• Reference: RFCXXXX

References Normative References Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands. mesur.io Transmute Fraunhofer SIT Rohan Mahy Consulting Services This document describes a data minimization technique for use with CBOR Web Token (CWT). The approach is based on Selective Disclosure JSON Web Token (SD-JWT), with changes to align with CBOR Object Signing and Encryption (COSE). Authlete Keio University Ping Identity This specification defines a mechanism for the selective disclosure of individual elements of a JSON-encoded data structure used as the payload of a JSON Web Signature (JWS). The primary use case is the selective disclosure of JSON Web Token (JWT) claims. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Inria & Mozilla Windy Hill Systems, LLC Wire The Messaging Layer Security (MLS) protocol (I-D.ietf-mls-protocol) provides a Group Key Agreement protocol for messaging applications. MLS is meant to protect against eavesdropping, tampering, message forgery, and provide Forward Secrecy (FS) and Post-Compromise Security (PCS). This document describes the architecture for using MLS in a general secure group messaging infrastructure and defines the security goals for MLS. It provides guidance on building a group messaging system and discusses security and privacy tradeoffs offered by multiple security mechanisms that are part of the MLS protocol (e.g., frequency of public encryption key rotation). The document also provides guidance for parts of the infrastructure that are not standardized by MLS and are instead left to the application. While the recommendations of this document are not mandatory to follow in order to interoperate at the protocol level, they affect the overall security guarantees that are achieved by a messaging application. This is especially true in the case of active adversaries that are able to compromise clients, the delivery service, or the authentication service. This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] Informative References

Acknowledgments Thanks to Richard Barnes for his comment.