MIMI Delivery Service

Introduction The MLS protocol document specifies a protocol between two or more clients. The MLS architecture document introduces an abstract concept of a "Delivery Service" (DS) that is specifically responsible for ordering handshake messages and more generally for delivering messages to the intended recipients. This document describes a Delivery Service that performs the mandated ordering of handshake messages and uses MLS to implement a variety of other features:

A protocol between clients and the Delivery Service that allows clients to interact with the Delivery Service, including the specific wire format of the messages. The protocol is specifically designed to be operated in a decentralized, federated architecture but can be used in single instances as well.
Assistance for new joiners of a group: The Delivery Service can keep and update state such as the public ratchet tree, group extensions, etc.
Message validation: The Delivery Service can inspect and validate handshake messages and reject malformed, invalid or malicious messages.
Built-in authentication of group members and policy enforcement: The Delivery Service can authenticate group members and reject messages from non-members. Additionally, the Delivery Service can be linked to the Authentication Service to enforce more policies and validation rules.
Scalability: The protocol makes no assumption about whether the Delivery Service runs as a single instance or as a cluster of instances.
Network fluid: While the Delivery Service would typically run as a server-side component, the only requirement is that it is accessible by all clients.
Transport agnostic: Messages between clients and the Delivery Service can be sent via an arbitrary transport protocol. Additionally, in the federated case, client messages to a guest Delivery Service can be forwarded by a client's local instance of this service.

TODO: Make use of MUST/SHOULD, etc. throughout.

Terminology This document uses the terminology defined in with the following additions:

DS Domain: Fully qualified domain name as defined in that represents the DS. This does not necessarily have to be the domain under which the DS is reachable on the network. Discovering that domain is the responsibility of the transport protocol over which the MIMI DS protocol runs. TODO: client identifiers definitions are preliminary.
Client: An MLS client with a unique client identifier.
Client identifier: An octet string that uniquely identifies the client and that maps to the DS domain of the client's DS.

Interfaces The MIMI DS tracks the state of individual MLS groups on a hub by processing group operations. The MIMI DS can process the following requests originating from clients:

Add clients to a group
Inject the sending client into a group (external join)
Remove clients from a group
Updates their MLS key material
Send application messages

TODO: This list will either grow longer if we want to keep distinct operations, or shorter, if we don't. In the latter case, we'll need more extensive commit validation. Follower servers can send requests the following:

Retrieve the group state required for a client to (re-)join a group
Retrieve KeyPackages for one or more client associated with this DS
Propose adding a client to a group
Propose removing a client from a group
Propose re-initializing of a group

TODO: Probably more proposals. Regardless if a request came from a client or a follower server, the MIMI DS will process in two steps: Staging and merging. The first step consists of authentication and validation checks, after which the MIMI DS stages the changes to the group state that result from the requested operation. In a second step, the MIMI DS merges the staged changes into the MLS group state. Locally, the MIMI DS thus provides the following interface:

Provide a Membership list (and associated metadata)
Process a query from a client and stage the corresponding changes
Process a query from a follower server and stage the corresponding changes
Merge the changes resulting from a previously processed query

Naturally, the local interface allows the same operations as for follower servers.

Architecture and protocol overview The MIMI DS protocol allows interoperability between a hub which hosts a group conversation and one or more guest DSs which are home to one or more of the conversation's group members. Underlying each group conversation is an MLS group that facilitates end-to-end encryption and authentication between group members. The main purpose of the MIMI DS protocol thus is to ensure that guest clients can participate in the group. With MLS as the underlying protocol, this means that the MIMI DS protocol is primarily concerned with the fan-out of MLS messages (both from and to guest clients), as well the assistance of guest clients in joining MLS groups. The MIMI DS protocol requires clients to send MLS messages as PublicMessages (with the exception of messages with content type application). This allows the hub to track the MLS group state in the same way as a client would, enabling it to keep an up-to-date and fully authenticated list of members, as well as provide the full MLS group state to joining group members, even for those joining via external commit. In addition, the DS can verify messages and enforce access control policies on group operations.

Client to server and server to server protocol MLS being a protocol for end-to-end encryption, the MLS protocol messages that many of the MIMI DS protocol messages have to originate from the clients rather than the interoperating delivery services. The MIMI DS protocol consists of two parts: A client-to-server part that allows guest clients to interact with the hub of one of their groups and a server-to-server protocol that allows a hub to fan out messages to guest DSs, which can subsequently store and forward messages to their respective clients. Note that the client-to-server part of the protocol can optionally be proxied via the guest DS of the sending client.

Transport for the MIMI DS protocol The MIMI DS protocol requires a transport protocol that provides confidentiality of messages and that allows the discovery of a DS based on the DS domain in a client identifier. The client-to-server part of the MIMI DS protocol provide sender authentication. Recipient authentication, as well as mutual server-to-server authentication is left to the MIMI transport protocol.

Flow

Architecture overview + | | Sending | (proprietary | Guest DS | | Client | protocol) | | | +<-------------+ | +-------------+ +--+--------+--+ | ^ DSRequest | | DSResponse v | +--+--------+--+ | | | Hub | | | | | +--+--------+--+ | ^ DSFanoutRequest | | DSFanoutResponse v | +--+--------+--+ | | | Guest DS | | | | | +--------------+ ]]> shows an example protocol flow, where a client sends a request to its own guest DS, which in turn makes a request to the hub. The hub then fans out a message to another guest DS. Both the message sending and the fanout parts of the protocol are designed in a request/response pattern. In the first protocol part, the client sends a DSRequest message to the Delivery Service and the Delivery Service responds with a DSResponse message. This pattern can easily be used over e.g. RESTful APIs.

Delivery Service Request/Response scheme | | | | DSResponse | |<---------------+ | | ]]> For the second part of the protocol the Delivery Service sends a DSFanoutRequest to each guest DS. This happens whenever a message needs to be fanned out to all other members of a group as a result of an incoming DSRequest. The guest DS in turn responds with a DSFanoutResponse.

Client/Delivery Service communication with fanout | | | | | | DSResponse | | |<---------------+ | | | DSFanoutRequest | | +-------------------------------->| | | | | | DSFanoutResponse | | |<--------------------------------+ | | | ]]>

Serialization format MLS messages use the presentation language and encoding format defined in with the extensions defined in the MLS protocol specification. The MIMI DS protocol uses the same serialization format, as both clients and DS already have to support it to process MLS messages. Octet strings resulting from serialization in this format are unambiguous and require no further canonicalization.

KeyPackages Clients have to upload KeyPackages such that others can add them to groups. In the context of interoperability, this means that clients have to be able to download KeyPackages of clients belonging to other DSs. The MIMI DS protocol allows clients to download the KeyPackages of other clients. Uploading KeyPackages is outside of the scope of this protocol, as it is not relevant for interoperability. TODO: KeyPackages of last resort should be marked. Ideally by using a KeyPackage extension.

Enqueue authorization TODO: This section sketches an authorization mechanism based on a KeyPackage extension. That extension would have to be defined in the context of the MLS WG. Each KeyPackage that a client publishes also carries a FanoutAuthToken inside a FanoutAuth KeyPackage extension. ; } FanoutAuthToken ]]> Whenever a client is added to a group (or when a new group is created), the DS checks that the KeyPackages of all joiners contain a FanoutAuth extension and stores the contained token alongside the group state. The FanoutAuthToken is included in DSFanoutRequests and allows the receiving DS to check whether the sender is authorized to enqueue messages for the recipient. Clients can change their FanoutAuthToken by sending a new token with an update operation. TODO: Details on the cryptographic scheme underlying the token.

Version agility MLS provides version, ciphersuite and extension agility. The versions, ciphersuites and extensions a client supports are advertised in its LeafNodes, both in all of the client's groups, as well as in its KeyPackages through the Capabilities field (Section 7.2 of ). MLS DS protocol clients MUST make use of a LeafNode extension to advertise the MIMI DS protocol versions they support. TODO: Such an extension would have to be specified in the context of the MLS WG.

Group lifecycle Upon creation MLS groups are parameterized by a GroupID, an MLS version number, as well as a ciphersuite. All three parameters are fixed and cannot be changed throughout the lifetime of a group. Groups capable of interoperability with the MIMI DS protocol MUST use a GroupContext extension that indicates the MIMI DS protocol version with which it was created. This extension MUST NOT be changed throughout the lifetime of the group. While all these parameters cannot be changed throughout a group's lifetime, the group can be re-initialized as described in Section 11.2. of to create a new group with a new set of parameters. The MIMI DS protocol supports re-initializations of groups using the corresponding ReInitialization operation under the condition that all MLS parameters are compatible with the MIMI DS protocol version. If a group is no longer used, it can be deleted either by a client or the DS itself. TODO: Each MIMI DS protocol version should probably fix a set of ciphersuites, MLS protocol versions and maybe even extensions it supports. New ones can be added with protocol version upgrades.

Security properties overview The MIMI DS protocol provides a number of security guarantees.

MLS-based security properties The MLS protocol underlying the MIMI DS protocol provides a number of security guarantees that primarily affect end-to-end communication between clients such as authentication and confidentiality with forward- as well as post-compromise security (although the latter only holds for application messages). While the MIMI DS protocol acts as a layer around the MLS protocol it inherits some of MLSs security guarantees. More concretely, the DS can verify client signatures on MLS messages and thus ensure that end-to-end authentication holds. Since the DS uses MLS messages to track the group state (including group membership), it is guaranteed to have the same view of that state as the group members.

Framing and processing overview

Client to server requests All client to server requests consist of a MIMI DS specific protocol wrapper called DSRequst. DSRequest contains the MIMI DS protocol version, a body with operation-specific data, as well as authentication information. A DS supports a variety of operations. For presentational reasons, we only define DSRequestType and the corresponding case statement in DSRequestBody partially here. The full definition with all operations relevant for the normal DS operating mode can be found in . The authentication_data field of a DSRequest depends on the request type and contains the data necessary for the DS to authenticate the request. ; } } DSAuthData; ]]> Before the DS performs the requested operation, it performs an authentication operation depending on the DSAuthType.

Anonymous: No authentication required
ClientSignature: The DS uses the public signature key of the MLS client in leaf with the leaf index sender_index to verify the signature over the following struct:

Note that all group operations additionally contain an MLSMessage the content of which mirrors the request type, e.g., an AddClients request wraps an MLS commit that in turn contains the Add proposals for the clients to be added. In that case, the DS uses the GroupID inside the MLSMessage to determine which group the request refers to and verifies the MLSMessage in the same way an MLS client would (including the signature). Depending on the nature of the request, clients can also include data in the AAD field of the MLSMessage, where it can be read and authenticated by both DS and all other group members. After performing the desired operation using the data in DSRequestBody the DS responds to the client (or the proxying guest DS) with a DSResponse. ratchet_tree; case ExternalCommit: MLSMessage: group_info; optional ratchet_tree; case KeyPackages: KeyPackage key_packages; } } struct { TODO: Operation specific errors. } DSError ]]>

Server to server requests After sending the response, and depending on the operation the DS might fan out messages to one or more guest DSs. To that end, it wraps the MLSMessage to be fanned out into a DSFanoutRequest. In addition to the MLSMessage, the DSFanoutRequest contains the protocol version, a list of client ids representing the clients for which the payload is meant, a FanoutAuthToken (see ) for each of the clients, as well as the payload to be fanned out. ; FanoutAuthToken fanout_auth_tokens; MLSMessage mls_message; } DSFanoutRequest ]]> The receiving DS first verifies the signature using the sending DS' public signature key and then further validates the message by performing the following checks:

That the protocol version is compatible with its configuration
That the recipient_ids are all clients of this DS
The the fanout_auth_tokens are all valid tokens for the individual recipients

The recieving DS can then store and forward the contained MLS message to the clients indicated in the recipient_ids field and send a DSFanoutResponse.

DS assisted joining To verify and deliver messages, authenticate clients as members of a group and to assist clients that want to join a group, the DS keeps track of the state of each group for which it is the hub. More specifically, it keeps track of the group's ratchet tree, the group's GroupContext and other information required to produce a valid GroupInfo for the current group epoch. It does this by processing incoming MLS messages in the same way a member of that group would, except of course that the DS doesn't hold any private key material. While MLS messages are sufficient to keep track of most of the group information, it is not quite enough to create a GroupInfo. To allow the DS to provide a valid GroupInfo to externally joining clients, it additionally requires clients to provide the remaining required information. Concretely, it requires clients to upload the Signature and the GroupInfo extensions. Clients need to send this information whenever they send an MLS message (i.e. an MLSMessage struct) that contains a commit. ; opaque Signature; } PartialGroupInfo ]]> The combination of a commit and a partial group info is called an MLSGroupUpdate. Whenever the DS receives an MLSGroupUpdate, it must verify that the MLSMessage contains a PublicMessage with a commit and that commit and partial group info are valid relative to the existing group state according to the MLS specification. TODO: For now there is no distinct endpoint to obtain authentication material that allows the DS to authenticate clients. This would be part of the AS design. By tracking the group information in this way, the DS can help clients that join via external commit by providing them with a ratchet tree and a group into. Similary, clients that wish to join a group via a regular invite (i.e. a Welcome message) have already received a GroupInfo and can obtain a ratchet tree from the DS. In the time between a client being added to a group by a commit and the client wanting to join the group, the group state can have progressed by one or more epochs. As a consequence, the DS MUST keep track of epochs in which clients are added and store the corresponding group states until each client has successfully joined.

Proposals and DS-initiated operations MLS relies on a proposal-commit logic, where the proposals encode the specific action the sending client intends to take and the commit then performs the actions of a set of commits. The advantage of this approach is that the sender of the proposal does not have to be the committer, which allows, for example, the DS to propose the removal of a client, or a client to propose that it be removed from the group. Note that the latter example is the only way that a client can remove itself (i.e. leave) from a group. Such proposals, where the original sender differs from the sender of the commit are called "proposal by reference", or "proposal by value" if the proposal is sent by the committer as part of the commit itself. The following sections detail operations that can be performed by clients, so each operation that entails a change to the group state (with the exception of the self remove operation) require the sender to perform a commit, where the semantics of the operation are reflected as proposals by value. For example, the commit in the AddClientsRequest must only contain Add proposals. If a client receives a valid standalone proposal, it MUST store it and verify that the next commit includes said proposal. TODO: Be more specific about proposal validation. Also, we might want to allow the server to rescind a proposal. Whenever a client sends a commit as part of an operation, it MUST include all stored proposals by reference, such as server-initiated Remove proposals, or proposals sent as part of a self-remove operation. TODO: Proposals by reference pose a problem in the context of external commits, as, even if the external committer had access to all proposals in an epoch, it wouldn't be able to verify them, thus potentially leading to an invalid external commit. A solution could be introduced either as part of the MIMI DS protocol, or as an MLS extension. The latter would be preferable, as other users of MLS are likely going to encounter the same problem. To allow the DS to send proposals, all groups MUST contain an external_senders extension as defined in Section 12.1.8.1. of that includes the DS' credential and its signature public key. TODO: We might also want to mandate that the group includes credentials of guest DSs involved in the group. However, for them to be able to send proposals, we'd need an additional operation/endpoint that the DS exposes. TODO: Details of the DS credential, distribution, etc. A BasicCredential with the FQDN of the DS would probably be sufficient. The DS can simply create such proposals itself based on the group information and distribute it to all group members via regular DSFanoutRequests.

Client removals The DS can propose that one or more clients be removed from a given group. To that end, it issues a remove proposal for each client it wants removed, where each remove proposal targets the leaf of one of the clients in question.

Client additions The DS can propose that one or more clients be added to the group. It does so by issueing an add proposal for each client, where each add proposal contains a KeyPackage of the respective client. TODO: If the DS should be allowed to add clients that belong to another DS, we need an endpoint that allows DSs to fetch KeyPackages from one-another.

Client-initiated operations The DS supports a number of operations, each of which is represented by a variant of the DSRequestType enum and has its own request body.

Request group id Clients can use this operation to request a group id. This group ID can subsequently used to create a group on this DS. After receiving this request, the DS generates a unique group id and responds with a DSResponse struct of type GroupID.

Delete group A request from the client to delete a group from the Delivery Service. This operation allows clients to delete a group from the DS. Clients can of course keep a copy of the group state locally for archival purposes. Validation: The Delivery Service validates the request as follows:

The MLSGroupUpdate MUST contain a PublicMessage with a commit that contains Remove proposals for every member of the group except the committer.

Add clients to a group A request from a client to add one or more clients. This operation allows clients to add other clients to an existing group. Alternatively, new clients can add themselves by joining via external commit. ; } AddClientsRequest; ]]> Validation:

The MLSGroupUpdate MUST contain a PublicMessage with a commit that contains only Add proposals with the possible exception of Remove proposals as detailed in .
The commit MUST NOT change the sender's client credential.
All KeyPackages included in Add proposals MUST include a FanoutAuth extension.

Remove clients from a group A request from a client to remove one or more other clients. Note that this operation cannot be used by a client to remove itself from the group. For that purpose, the SelfRemoveClientRequest should be used instead. Validation:

The MLSGroupUpdate MUST contain a PublicMessage with a commit that contains only Remove proposals.
The commit MUST NOT change the sender's client credential.

Self remove a client from a group A request from a client to remove itself from the group. Note that this request only contains a proposal, so the client is not effectively removed from the group until another group member commits that proposal. See for more details. Validation:

The MLSMessage MUST contain a PublicMessage that contains a single Remove proposal.
The Remove proposal MUST target the sending client.

Update a client in a group A request from a client to update its own leaf in an MLS group. This operation can be used to update any information in the sender's leaf node. For example, the sender could use this operation to update its key material to achieve post-compromise security, update its Capabilities extension, or its leaf credential. The sending client can also choose to send a FanoutAuthToken, which the DS uses to replace the client's existing token. token; } UpdateClientRequest; ]]> Validation:

The MLSGroupUpdate MUST contain a PublicMessage that contains a commit with an UpdatePath, but no other proposals by value.
If the leaf credential is changed by the update, the DS MUST validate the new credential.

TODO: The discussion around identity and credentials should yield a method to judge if a new credential is a valid update to an existing one.

Join the group using an external commit A request from a client to join a group using an external commit, i.e. without the help of an existing group member. This operation can be used, for example, by existing group members that have to recover from state loss. To retrieve the information necessary to create the external commit, the joiner has to fetch the external commit information from the DS. Validation:

The MLSGroupUpdate MUST contain a PublicMessage that contains a commit with sender type NewMemberCommit.

Send an application message to a group A request from a client to fan out an application message to a group. This operation is meant to send arbitrary data to the rest of the group. Since the application message is a PrivateMessage, the DS can not verify its content or authenticate its sender (even though it does authenticate the sender of the surrounding DSRequest). Validation:

The MLSMessage MUST contain a PrivateMessage with ContentType application.

Fetch KeyPackages of one or more clients A request from a client to retrieve the KeyPackage(s) of one or more clients of this DS. KeyPackages are required to add other clients (and thus other users) to a group. ; } KeyPackagesRequest; ]]> The DS responds with the KeyPackages of all clients listed in the request. Validation:

All client identifiers MUST refer to clients native to this DS.
The DS SHOULD verify that the sender of the request is authorized to retrieve the DSKeyPackages of the clients in question.

ReInitialize a group A request from a client to re-initialize a group with different parameters as outlined in . Validation:

The MLSGroupUpdate MUST contain a PublicMessage that contains a commit with a re-init proposal.
The GroupID in the re-init proposal MUST point to another group on this hub, which has a MIMI DS protocol version that is greater or equal than this group.

DSFanoutRequests After the DS has processed an incoming MLSMessage, it prepares a DSFanoutRequest as described in . For DS to DS communication, the MIMI DS protocol relies on the underlying transport protocol to provide mutual authentication.

Rate-limiting and spam prevention All requests (with the exception of the VerificationKeyRequest) can be explicitly authenticated by the recipient through the verification of a signature. This means that recipients can follow a rate-limiting strategy of their choice based on the sender's identity. For DSRequests, the DS can rate-limit on a per group-level, per-DS level (reducing the messages from all clients belonging to a single DS), or even based on individual clients. For DSFanoutRequests, rate-limiting or blocking can happen based on the identity of the sending DS, or it can happen on a per-group basis, where the recipient only blocks messages from a particular group. Such rate-limiting can happen by decision of the DS itself, or on the request of its local clients. For example, a client might wish to block connection requests from one specific other client without blocking connection requests from all other clients of that DS.

Abusive and illegal content As all application messages are encrypted, the DS has no way of analyzing their content for illegal or abusive content. It may make use of a message franking scheme to allow its clients to report such content, although this is beyond the scope of this document. Additionally, in the same way as a DS might allow its clients to block certain messages from specific clients in the context of spam prevention, it may do the same based on abusive or illegal content.

Security considerations TODO: There is currently no consensus in the MIMI w.r.t. the security goals we want to reach. The underlying MLS protocol provides end-to-end encryption and authentication for all MLSMessages, as well as group state agreement.

Transport Security Transport of DSFanoutRequests, as well as their responses MUST use a recipient authenticated transport. This is to ensure that these messages are mutually authenticated. To protect the metadata in all request-response flows, requests and responses SHOULD be secured using an encrypted transport channel.