Public keys used to provide end-to-end encrypted communication services are often authenticated solely by the assertion of the communications service provider. As a result, the underlying encryption protocols are left vulnerable to eavesdropping and impersonation by active attackers, in particular the service provider itself, which can distribute malicious public keys to selectively gain access to communication. Similarly, a malicious service provider could take advantage of its privileged network position to launch a number of other attacks, such as:

* Silently partitioning a group, thereby selectively excluding some members of a group communication from the rest.

* Falsifying information about the state of a group, allowing it to eavesdrop on messages sent by new joiners.

To prevent these attacks, an end-to-end encrypted communication service provider and their end users need to  authenticate a user’s long-term identity key,  the state/membership of a group, and related meta-data (collectively referred to as artifacts). This authentication scheme must be:

* Transparent: All end-users (applications or devices) receive a globally-consistent view of the data associated with each artifact.

* User-friendly: Little (ideally zero) human user action, or even awareness, is required to achieve the authenticity guarantees.

* Private: The communication service provider is able to enforce access control policies such that the existence of a specific artifact or its associated data is only revealed by the service provider’s explicit choice.

* Efficient: The computational requirements for both the end-user  and the communication service provider scales sub-linearly with the number of end-users in the system.

* Sustainable: Data that’s no longer required by end-users may eventually stop being stored.

The KEYTRANS working group will develop a standard for authenticating information about artifacts in an end-to-end encrypted messaging system  with the above properties. This standardized approach will allow shared validation of the end-to-end encrypted communication service’s  security properties, and allows applications to share code.

It is not a goal of this working group to develop mechanisms for authenticating relationships between artifacts in an end-to-end encrypted system and external systems, only that certain data belongs to a given artifact. For example, it would not specify ways to verify that an account controls a phone number or email address, or belongs to a specific legal person.

It is not a goal of this working group to enable interoperability between end-to-end encrypted services. Full interoperability of an application would require alignment at many different layers beyond security.

Furthermore, it is not a goal of this working group to develop an end-to-end encryption protocol for user messages. Rather, the authentication mechanism developed by this group will be able to be integrated into other end-to-end encryption protocols. 

The main deliverables of the WG will be:

* Specifying an architecture for this authentication mechanism

* Standardizing the core scheme for authenticating information about artifacts in an end-to-end encrypted system

* Standardizing integrations of this authentication mechanism with other protocols (where the exact security guarantees provided will depend on the underlying encryption)

The WG will work collaboratively with the MLS WG.

Milestones:
Mar 2024 - Initial WG adoption of  for core transparent data authentication mechanism

Jul 2024 - Initial WG adoption describing MLS integration

Mar 2025 - Submit core transparent data authentication mechanism document  to IESG as Proposed Standard.

Mar 2025 - Submit MLS integration document to IESG as Proposed Standard.