Re: [MLS] Deniability -> "recording"?

Benjamin Beurdouche <> Thu, 23 January 2020 14:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D65E81200C5 for <>; Thu, 23 Jan 2020 06:45:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ADW83Y8rrBxx for <>; Thu, 23 Jan 2020 06:45:35 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9DCE312004D for <>; Thu, 23 Jan 2020 06:45:34 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.70,354,1574118000"; d="scan'208";a="432733524"
Received: from (HELO []) ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Jan 2020 15:45:22 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.\))
From: Benjamin Beurdouche <>
In-Reply-To: <>
Date: Thu, 23 Jan 2020 15:45:21 +0100
Cc: Cas Cremers <>, ML Messaging Layer Security <>, "" <>, "" <>, "" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <>
To: Dave Cridland <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [MLS] Deniability -> "recording"?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 23 Jan 2020 14:45:37 -0000

> We can work around the PFS by (in effect) using MLS as a groupwise key exchange protocol and exporting a longer term key for message encryption, but if we destroy cryptographic integrity post-facto, as I assume we mean by deniability, then that makes life increasingly unpleasant for the cases where people actually want different properties.
> In short, preventing various groups making use of MLS is not security first.

In general, I don’t see deniability and authentication as such a strong opposition.

But anyway, MLS is currently at a sweet spot in terms of design:
As a default, because we have such a variety of use cases for the protocol, the authentication
service is responsible for the biding between an identity and the signature key which is used
by the protocol to authenticate members whether it is in a deniable way or not.

The authors and collaborators of the working group are gonna carefully document
each security tradeoffs in the architecture document, but ultimately, since each provider
has the ability to tune the exact way to provide and verify these signing keys, I think there
is no concern to have overall. We will remain careful to allow all these use cases...