Skip to content

Commit 281f1cc

Browse files
Bren2010Bren2010
committed
Rework paragraph to sound less like recommendation
1 parent 05dcc13 commit 281f1cc

File tree

1 file changed

+12
-10
lines changed

1 file changed

+12
-10
lines changed

draft-ietf-mls-architecture.md

+12-10
Original file line numberDiff line numberDiff line change
@@ -874,16 +874,18 @@ approach, a malicious member that's capable of sending invalid Commits is also
874874
capable of corrupting the state that other users need to perform an external
875875
join, thereby preventing successful external joins.
876876

877-
Instead of the above approaches, it is generally simpler for the Delivery
878-
Service take no stance on which Commit is "correct" for an epoch. The DS can
879-
enable clients to choose between Commits, for example by providing Commits in
880-
the order received when there are multiple, and allow clients to reject any
881-
Commits that violate their view of the group's policies. As such, all honest and
882-
correctly-implemented clients will arrive at the same "first valid Commit" and
883-
choose to process it. Malicious or buggy clients that process a different Commit
884-
will end up in a forked view of the group, isolated from the honest members.
885-
886-
The only instance where not all group members will agree on the validity of a
877+
An alternative approach is for the Delivery Service take no stance on which
878+
Commit is "correct" for an epoch. The DS can enable clients to choose between
879+
Commits, for example by providing Commits in the order received when there are
880+
multiple, and allow clients to reject any Commits that violate their view of the
881+
group's policies. As such, all honest and correctly-implemented clients will
882+
arrive at the same "first valid Commit" and choose to process it. Malicious or
883+
buggy clients that process a different Commit will end up in a forked view of
884+
the group. While allowing a group's state to fork has fewer security
885+
implications than the above approaches, it can complicate some operational
886+
aspects of MLS for the DS, such as how to support external joins.
887+
888+
The only instance where not all honest group members will agree on the validity of a
887889
Commit, is when the Commit is invalid in the form described in {{Section 16.12
888890
of RFC9420}}. This creates a subset of members that are unable to process the
889891
Commit. When a user discovers that they're in such a subset, they can request a

0 commit comments

Comments
 (0)