Skip to content

Commit c4fdc45

Browse files
Bren2010ekr
Bren2010
and
ekr
authored
Apply suggestions from code review
Co-authored-by: Eric Rescorla <ekr@rtfm.com>
1 parent 0c3c0d9 commit c4fdc45

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

draft-ietf-mls-architecture.md

+4-4
Original file line numberDiff line numberDiff line change
@@ -755,8 +755,8 @@ As an example, there could be an "ordering server" Delivery Service that
755755
broadcasts all messages received to all users and ensures that all clients see
756756
messages in the same order. This would allow clients to only apply the first
757757
valid Commit for an epoch and ignore subsequent ones. Clients that send a Commit
758-
would then wait to apply it until it's broadcast back to them by the Delivery
759-
Service, assuming they don't receive another Commit first.
758+
would then wait to apply it until it is broadcast back to them by the Delivery
759+
Service, assuming they do not receive another Commit first.
760760

761761
Alternatively, the Delivery Service can rely on the `epoch` and `content_type`
762762
fields of an MLSMessage to provide an order only to handshake messages, and
@@ -845,7 +845,7 @@ accept.
845845
Such “desynchronization” problems can arise even when the Delivery Service takes
846846
no stance on which Commit is "correct" for an epoch. The DS can enable clients
847847
to choose between Commits, for example by providing Commits in the order
848-
received when there are multiple, and allow clients to reject any Commits that
848+
received and allow clients to reject any Commits that
849849
violate their view of the group's policies. As such, all honest and
850850
correctly-implemented clients will arrive at the same "first valid Commit" and
851851
choose to process it. Malicious or buggy clients that process a different Commit
@@ -857,7 +857,7 @@ security implications. For example, a client developer might have a client
857857
automatically rejoin a group, using an external join, when it processes an
858858
invalid Commit. In this operation, however, the client trusts that the
859859
GroupInfo provided by the DS faithfully represents the state of the group, and
860-
not, say, an earlier state containing a compromised leaf node. Even worse, the
860+
not, say, an earlier state containing a compromised leaf node. In addition, the
861861
DS may be able to trigger this condition by deliberately sending the victim an
862862
invalid Commit. In certain scenarios, this trust can enable the DS or a
863863
malicious insider to undermine the post-compromise security guarantees provided

0 commit comments

Comments
 (0)