Public keys used to provide end-to-end encrypted communication services are often authenticated solely by the assertion of the communications service provider. As a result, the underlying encryption protocols are left vulnerable to eavesdropping and impersonation by the service provider which could distribute malicious public keys. To provide confidence to their users and to mitigate this attack, end-to-end encrypted communication service providers are increasingly looking for a way to provide verifiability for identity-to-public-key bindings in their system. A scheme for providing this verifiability of key bindings must be:

* Transparent: All end users (applications or devices) receive a globally consistent view of the data associated with each identity.

* User-friendly: Little (ideally zero) user action, or even awareness of the system, is required to verify a user’s key bindings.

* Private: The service provider is not required to publicly reveal potentially sensitive data about its users, such as: what keys are associated with an identity, or even whether or not a specific identity is registered by the service provider.

* Efficient: The computational requirements for both end user and the service provider scales sub-linearly with the number of users in the system.

* Sustainable: Data that is no longer required by end users may eventually stop being stored.

The KEYTRANS working group will develop a standard for providing public verifiability for identity-to-public-key bindings in an end-to-end encrypted system with the above properties. This standardized approach will allow shared validation of the end-to-end encrypted communication service’s security properties and allows applications to share code.

It is not a goal of this working group to enable interoperability between end-to-end encrypted services. Full interoperability of an application would require alignment at many different layers beyond security.

Furthermore, it is not a goal of this working group to develop an end-to-end encryption protocol for user messages. Rather, the scheme developed by this group will be able to be integrated into other end-to-end encryption protocols.

The main deliverables of the WG will be:

* Specifying an architecture for this public verifiability mechanism

* Standardizing the core scheme for providing verifiability for identity-to-public-key bindings in an end-to-end encrypted system

* Standardizing integrations of this verifiability mechanism with other protocols (where the exact security guarantees provided will depend on the underlying encryption)

The WG will work collaboratively with the MLS WG.

Milestones

Mar 2024 - Initial WG adoption of core transparent verifiability mechanism

Jul 2024 - Initial WG adoption of MLS integration document

Mar 2025 - Submit core transparent verifiability mechanism document to IESG as Proposed Standard.

Mar 2025 - Submit MLS integration document to IESG as Proposed Standard.