Module openmls::credentials

source ·
Expand description


A Credential contains identifying information about the client that created it. Credentials represent clients in MLS groups and are used to authenticate their messages. Each KeyPackage as well as each client (leaf node) in the group (tree) contains a Credential and is authenticated. The Credential must the be checked by an authentication server and the application, which is out of scope of MLS.

Clients can create a Credential.

The MLS protocol spec allows the Credential that represents a client in a group to change over time. Concretely, members can issue an Update proposal or a Full Commit to update their LeafNode, as well as the Credential in it. The Update has to be authenticated by the signature public key corresponding to the old Credential.

When receiving a credential update from another member, applications must query the Authentication Service to ensure that the new credential is valid.

There are multiple CredentialTypes, although OpenMLS currently only supports the BasicCredential.