Markdown Version | Transcript | Session Recording | Session Materials

Session Date/Time: 18 Mar 2026 06:00

MLS

The MLS working group met at IETF 125 to discuss the progress of active drafts, including extensions, post-quantum (PQ) combiners, and virtual clients. The session also covered several individual submissions regarding two-party profiles, signature optimizations, and credential types.

Summary

The group focused on finalizing several mature documents. draft-ietf-mls-extensions and draft-ietf-mls-pq-ciphersuites are approaching final Working Group Last Call (WGLC). Significant discussion occurred regarding the "Two Party Profile" and its potential for providing Post-Compromise Security (PCS) in protocols like TLS and QUIC, though formal adoption is pending coordination with other areas of the IETF. Progress continues on draft-ietf-mls-virtual-clients with implementation efforts revealing new integration requirements.

Key Discussion Points

Working Group Status and Active Drafts

• Extensions: Raphael Robert presented The Messaging Layer Security (MLS) Extensions. One open issue remains regarding mandated extensions in federated contexts. Rohan Mahy suggested an "opaque dictionary" extension to allow members to bypass unknown components in the group context without cryptographic eviction.
• Partial MLS: Richard Barnes noted that draft-ietf-mls-partial-mls (referenced as Light/Partial MLS) is implemented in MLS++ and ready for WGLC. A poll indicated roughly 5-10 participants had read the draft.
• Targeted Messages: Raphael Robert presented Messaging Layer Security (MLS) Targeted Messages. Discussion focused on whether to include ratchets for efficiency. Richard Barnes argued against ratchets, suggesting that if PCS/forward secrecy is needed beyond one-shot messages, users should create a new group. Rohan Mahy expressed interest in "wrapping" messages to support multiple recipients (e.g., sending to all moderators).
• PQ Ciphersuites: Rohan Mahy updated the group on ML-KEM and Hybrid Cipher Suites for Messaging Layer Security. The draft now includes nine ciphersuites to satisfy varying requirements for AES-128/SHA-256 and AES-256/SHA-384.
• Virtual Clients: Conrad Steckley presented MLS Virtual Clients. The draft is being merged with Brendan McMillion's subgroup work. Implementation in OpenMLS revealed that clients must be able to process their own commits and manage randomness injection differently than standard MLS.

Post-Quantum and Combiners

• Amortized PQ MLS Combiner: Marta Mularczyk presented Amortized PQ MLS Combiner. The draft was renamed to "Amortized" to avoid confusion with hybrid ciphersuites. It now aligns with the Safe Application Interface from the extensions draft, using the Safe Exporter for PSK injection.

Individual Submissions

• Fewer Signatures: Conrad Steckley presented Fewer Signatures, aimed at reducing overhead for ML-DSA by hashing outer message structures into the leaf node signature. Rohan Mahy raised a concern regarding a potential circular dependency ("Klein bottle" problem) when applying this to internal commits that include the group context in the transcript hash.
• MLS Two Party Profile: Conrad Steckley presented MLS Two Party Profile. The goal is to provide a standardized way to use MLS for long-lived two-party connections (e.g., in QUIC/TLS) to gain PCS. Richard Barnes noted Cisco IPR and research-grade implementations. While there was strong interest (10+ readers and several potential implementers), the chairs decided to wait for coordination with the Security Area Advisory Group (SAG) and SECDISPATCH to determine if this work should stay in the MLS WG or move elsewhere.
• Private External Commits: Rohan Mahy presented Private External Commits and External Proposals. This addresses privacy leaks in environments with private distribution services (e.g., XMTP) by encrypting external commits via HPKE.
• Web Token Credentials: Rohan Mahy presented Web Token Credentials (and others), introducing Selective Disclosure JWTs (SD-JWT) and COTs for MLS credentials. This would allow disclosing specific identity claims to group members while hiding them from the Distribution Service.

Decisions and Action Items

• Decision: The WG will issue a second WGLC for draft-ietf-mls-extensions after the "opaque dictionary" PR is integrated.
• Decision: draft-ietf-mls-pq-ciphersuites is ready for WGLC.
• Decision: draft-ietf-mls-combiner (Amortized PQ MLS Combiner) will undergo a final WGLC once the latest PRs addressing Safe API alignment are merged.
• Decision: draft-mahy-mls-ratchet-tree-options is formally adopted as a WG item.
• Action Item: Richard Barnes to update the Partial MLS draft and provide test vectors.
• Action Item: Conrad Steckley to investigate the circular dependency issue in the Fewer Signatures proposal.
• Action Item: Chairs to coordinate with SECDISPATCH/SAG regarding the venue for the Two Party Profile work.

Next Steps

• Progress mature drafts (Extensions, PQ Ciphersuites, Combiner) through WGLC.
• Continue implementation and security analysis for Virtual Clients.
• Rohan Mahy and Chairs to refine the list of "missing" MLS features (e.g., malicious member replay, update path forks) for future WG prioritization.

Related Documents

draft-ietf-mls-combiner, draft-ietf-mls-extensions, draft-ietf-mls-partial-mls, draft-ietf-mls-pq-ciphersuites, draft-ietf-mls-virtual-clients, draft-mahy-mls-ratchet-tree-options