# Background

Public keys used to provide end-to-end encrypted communication services are often authenticated solely by the assertion of the communications service provider. As a result, the underlying encryption protocols are left vulnerable to eavesdropping and impersonation by the service provider which could distribute malicious public keys. To provide confidence to their users and to mitigate this attack, end-to-end encrypted communication service providers are increasingly looking for a way to provide verifiability for identity-to-public-key bindings in their system. A scheme for providing this verifiability of key bindings must be:

* Transparent: All end users (applications or devices) receive a globally consistent view of the data associated with each identity.

* User-friendly: Little (ideally zero) user action, or even awareness of the system, is required to verify a user’s key bindings.

* Private: The service provider is not required to publicly reveal potentially sensitive data about its users, such as: what keys are associated with an identity, or even whether or not a specific identity is registered by the service provider.

* Efficient: The computational requirements for both end user and the service provider scales sub-linearly with the number of users in the system.

* Sustainable: Data that is no longer required by end users may eventually stop being stored.

# Goals

The KEYTRANS working group will develop a standard for providing public verifiability for identity-to-public-key bindings in an end-to-end encrypted system with the above properties. This standardized approach will be integrated into other, more complete end-to-end protocols and services.

The solution the WG defines is expected to:
* Allow an end-user to upload their public key to a communications service provider, and download the public keys of other end-users.

* Allow end-users to verify on an ongoing basis (through the communications service provider) that they have a globally consistent view of which public keys have been associated with which accounts, including their own.

Out of scope for the WG is to:

* Enable interoperability between end-to-end encrypted services as full interoperability of an application would require alignment at many different layers beyond security

* Develop an end-to-end encryption protocol for user messages. 

# Program of Work

The WG is expected to:

* Specifying an architecture for this public verifiability mechanism

* Standardizing the core scheme for providing verifiability for identity-to-public-key bindings in an end-to-end encrypted system

* Standardizing integrations of this verifiability mechanism with other protocols (where the exact security guarantees provided will depend on the underlying encryption)

The WG will work collaboratively with the MLS WG.

# Milestones

Dec 2023 - Initial WG adoption of an architecture  document

Mar 2024 - Initial WG adoption of core transparent verifiability mechanism document

Jul 2024 - Initial WG adoption of MLS integration document

Mar 2025  - Submit architecture document to the IESG as Informational 

Nov 2025 - Submit core transparent verifiability mechanism document to IESG as Proposed Standard

Nov 2025 - Submit MLS integration document to IESG as Proposed Standard