Expand description


A Credential contains identifying information about the client that created it, as well as a signature public key and the corresponding signature scheme. Credentials represent clients in MLS groups and are used to authenticate their messages. Each KeyPackage that is either pre-published, or that represents a client in a group contains a Credential and is authenticated by it.

Clients can create a Credential by creating a CredentialBundle which contains the Credential, as well as the corresponding private key material. The CredentialBundle can in turn be used to generate a KeyPackageBundle.

The MLS protocol spec allows the that represents a client in a group to change over time. Concretely, members can issue an Update proposal or a Full Commit to update their KeyPackage, as well as the Credential in it. The Update has to be authenticated by the signature public key contained in the old Credential.

When receiving a credential update from another member, applications must query the Authentication Service to ensure that the new credential is valid.

Credentials are specific to a signature scheme, which has to match the ciphersuite of the KeyPackage that it is embedded in. Clients can use different credentials, potentially with different signature schemes in different groups.

There are multiple CredentialTypes, although OpenMLS currently only supports the BasicCredential.


Credential errors


Basic Credential.

X.509 Certificate.


Credential Bundle.