Open TWal opened 3 weeks ago
Thinking more about init keys, we should also recommend to regularly rotate key packages that are on the delivery service, even if they are not used. This could otherwise undermine post-compromise security: the attacker could compromise the initialization key of someone, and when the corresponding key package is added in a group later (e.g. several months after the compromise) the attacker can decrypt the messages exchanged in this group, until the participant updates.
There are some hints that key packages must expire: https://github.com/mlswg/mls-architecture/blob/b8893e0e158defae99ed57caca300a4151598fe0/draft-ietf-mls-architecture.md?plain=1#L1819-L1822 but I think kind of attack undermines post-compromise security rather than forward secrecy.
Because the
joiner_secret
is encrypted to theinit_key
of joiners, if the joiners don't delete theirinit_key
after processing a Welcome, this could undermine forward-secrecy. I noticed that the document don't give any precise recommendations about that.There are some hints scattered in the document, but they give recommendations to participants adding other participants, not to participants being added: https://github.com/mlswg/mls-architecture/blob/b091b3a30d6f9d2f46383f7bd152058f0fbfc9b1/draft-ietf-mls-architecture.md?plain=1#L670-L672
This PR adds a recommendation for that. I am not sure on how to proceed, I have made an attempt but it might belong to another section!