While law enforcement continues its worldwide crusade against chat apps with end-to-end encryption, the Internet Engineering Task Force has proposed standards designed to let everybody have message security.
There are some heavy-hitters onboard. The requirements draft has people from Google, French research institute INRIA, Mozilla, Twitter, MIT, and the Wire collaboration platform, while the protocol's authors come from Cisco, Facebook, Google, the University of Oxford, and Wire.
As the requirements draft notes, MLS isn't designed as a chat protocol, but rather "is intended to be embedded in a concrete protocol", providing abstract data structures that can be mapped on encodings such as TLS 1.3 and JSON.
The architecture assumes that a messaging service needs an authentication service to maintain user identities, let them authenticate each other, and allow users to find each others' identity keys – and a delivery service that handles message-passing.
In an encrypted messaging platform like Signal, these two operations might be part of the same software, running on the same server, but they're logically distinct.
The delivery service (DS) also handles the public key processes needed to set up group keys (in the case of end-to-end encrypted group chats).
The draft explained that there's good reason to separate the logical processes. For example, it allows identity and authentication to exist in other processes (such as OAuth).
The authors believe the architecture should scale up to support at least 50,000 clients and those who access chat systems from multiple devices.
The privacy of message content isn't the only thing that can compromise users, as anyone familiar with metadata collection knows, and the draft acknowledged that.
"The protocol is designed in a way that limits the server-side [authentication service (AS) and DS] metadata footprint," the document said. "The DS must only persist data required for the delivery of messages and avoid Personally Identifiable Information (PII) or other sensitive metadata wherever possible. A Messaging Service provider that has control over both the AS and the DS, will not be able to correlate encrypted messages forwarded by the DS, with the initial public keys signed by the AS."
They said message authentication is important to make sure that members can neither impersonate other members, nor deny messages they sent. ®