Don't require new_member sender type to sign GroupContext.

mlswg · May 12, 2022 · 757247e · 757247e
1 parent f64c3eb
commit 757247e
Showing 1 changed file with 17 additions and 24 deletions.
diff --git a/draft-ietf-mls-protocol.md b/draft-ietf-mls-protocol.md
@@ -1479,8 +1479,19 @@ MLSMessageContent is authenticated using the MLSMessageAuth structure.
 
 ~~~ tls
 struct {
-    opaque mac_value<V>;
-} MAC;
+    ProtocolVersion version = mls10;
+    WireFormat wire_format;
+    MLSMessageContent content;
+    select (MLSMessageContentTBS.content.sender.sender_type) {
+        case member:
+            GroupContext context;
+        case new_member:
+        case external:
+            struct{};
+    }
+} MLSMessageContentTBS;
+
+opaque MAC<V>;
 
 struct {
     // SignWithLabel(., "MLSMessageContentTBS", MLSMessageContentTBS)
@@ -1500,8 +1511,8 @@ struct {
 The signature is computed using `SignWithLabel` with label
 `"MLSMessageContentTBS"` and with a content that covers the message content and
 the wire format that will be used for this message. If the sender's
-`sender_type` is `Member`, the content also covers the GroupContext for the
-current epoch, so that signatures are specific to a given group and epoch.
+`sender_type` is `member`, the content also covers the GroupContext for the
+current epoch so that signatures are specific to a given group and epoch.
 
 The sender MUST use the private key corresponding to the following signature key
 depending on the sender's `sender_type`:
@@ -1519,30 +1530,12 @@ depending on the sender's `sender_type`:
   * `commit`: The signature key in the credential contained in the KeyPackage in
     the Commit's path (see Section {{external-initialization}}).
 
-~~~ tls
-struct {
-    ProtocolVersion version = mls10;
-    WireFormat wire_format;
-    MLSMessageContent content;
-    select (MLSMessageContentTBS.content.sender.sender_type) {
-        case member:
-        case new_member:
-            GroupContext context;
-
-        case external:
-            struct{};
-    }
-} MLSMessageContentTBS;
-~~~
-
 Recipients of an MLSMessage MUST verify the signature with the key depending on
 the `sender_type` of the sender as described above.
 
 The confirmation tag value confirms that the members of the group have arrived
-at the same state of the group.
-
-A MLSMessageAuth is said to be valid when both the `signature` and
-`confirmation_tag` fields are valid.
+at the same state of the group. An MLSMessageAuth is said to be valid when both
+the `signature` and `confirmation_tag` fields are valid.
 
 ## Encoding and Decoding a Plaintext