PCS and compromised AS

[ekr]

PCS means that if a group member's state is compromised at some time t1 but the group member subsequently performs an update at some time t2, then all MLS guarantees apply to messages sent by the member after time t2, and by other members after they have processed the update. For example, if an attacker learns all secrets known to Alice at time t1, including both Alice's long-term secret keys and all shared group keys, but Alice performs a key update at time t2, then the attacker is unable to violate any of the MLS security properties after the updates have been processed.

Both of these properties are satisfied even against compromised DSs and ASs.

I see how this works with a compromised DS, but can't the AS effectively revoke Alice's original credential and issue it to someone else, who then does their own update, locking Alice out, and not providing PCS

[ekr]

@bifurcation

[Bren2010]

The last line is the problem here:

Both of these properties are satisfied even against compromised DSs and ASs.

Unless the AS is using Key Transparency, it can produce fake credentials for all the members of a group and impersonate or eavesdrop as much as it pleases.

However, as long as the AS and DS are not compromised, then an attacker that steals Alice's credential and issues its own Update will lock Alice out. The attacker gains nothing from locking Alice out (they can already impersonate her), and potentially makes Alice aware of the compromise.

[beurdouche]

I think this is enough, but please feel free to propose something else if that's not the case. https://github.com/mlswg/mls-architecture/commit/2b195434f4d991155ea95a0361cdea8ef603a562

[beurdouche]

Handled suggestion from Ekr's review in https://github.com/mlswg/mls-architecture/commit/167754b02bd965b81c3560b2079c5210a781bed0