From 2f48bbdd6d361e9c2f537b021658e31089e9e648 Mon Sep 17 00:00:00 2001
From: Richard Hua <rich@rkhua.com>
Date: Thu, 30 Nov 2023 10:22:34 +1100
Subject: [PATCH 01/11] Add context on ethereum wallets

---
 xmtp_mls/IDENTITY.md | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/xmtp_mls/IDENTITY.md b/xmtp_mls/IDENTITY.md
index 918c3da96..4209fa39e 100644
--- a/xmtp_mls/IDENTITY.md
+++ b/xmtp_mls/IDENTITY.md
@@ -8,13 +8,13 @@ Amal's account (Ethereum wallet address)
 ├── Converse app (mobile phone)
 │   └── Installation key bundle 1
 │
-├── Coinbase Wallet (mobile phone)
+├── Coinbase Wallet app (mobile phone)
 │   └── Installation key bundle 2
 │
-├── Lenster (tablet)
+├── Lenster app (tablet)
 │   └── Installation key bundle 3
 │
-└── Coinbase Wallet (tablet)
+└── Coinbase Wallet app (tablet)
     └── Installation key bundle 4
 ```
 
@@ -24,6 +24,14 @@ Using per-installation keys provides the following benefits:
 - The user may enumerate the installations that have messaging access to their account.
 - The user may revoke keys on a per-installation level.
 
+**Ethereum wallet**
+
+Today, an Ethereum wallet consists of a [secp256k1 keypair](https://ethereum.org/en/developers/docs/accounts/#account-creation), and is identified by a a public address, which is the hex-encoding of the last 20 bytes of the Keccak-256 hash of the public key, prepended by `0x`. The user is expected to have a pre-existing Ethereum wallet prior to onboarding with XMTP.
+
+The owner of a wallet may sign arbitrary text with the wallet. Most wallet software requires explicit [user acceptance](https://docs.metamask.io/wallet/how-to/sign-data/#use-personal_sign) of the signature text. The signature text is formatted according to version `0x45` of [ERC-191](https://eips.ethereum.org/EIPS/eip-191), and is signed via a recoverable ECDSA signature.
+
+There is currently no way to rotate the keys associated with an Ethereum wallet. In the event that a wallet is compromised, the user must create a new wallet.
+
 **Installation provisioning**
 
 Every new app installation gains messaging access as follows:

From 93b80560fca81ca03b4bf23b4fb0aa610b05e1e5 Mon Sep 17 00:00:00 2001
From: Richard Hua <rich@rkhua.com>
Date: Thu, 30 Nov 2023 11:09:52 +1100
Subject: [PATCH 02/11] Add installation_public_key to credential, clean up
 time representation, clean up details

---
 xmtp_mls/IDENTITY.md | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/xmtp_mls/IDENTITY.md b/xmtp_mls/IDENTITY.md
index 4209fa39e..78bd739bc 100644
--- a/xmtp_mls/IDENTITY.md
+++ b/xmtp_mls/IDENTITY.md
@@ -28,39 +28,43 @@ Using per-installation keys provides the following benefits:
 
 Today, an Ethereum wallet consists of a [secp256k1 keypair](https://ethereum.org/en/developers/docs/accounts/#account-creation), and is identified by a a public address, which is the hex-encoding of the last 20 bytes of the Keccak-256 hash of the public key, prepended by `0x`. The user is expected to have a pre-existing Ethereum wallet prior to onboarding with XMTP.
 
-The owner of a wallet may sign arbitrary text with the wallet. Most wallet software requires explicit [user acceptance](https://docs.metamask.io/wallet/how-to/sign-data/#use-personal_sign) of the signature text. The signature text is formatted according to version `0x45` of [ERC-191](https://eips.ethereum.org/EIPS/eip-191), and is signed via a recoverable ECDSA signature.
+The owner of a wallet may sign arbitrary text with the wallet. Most wallet software requires explicit [user acceptance](https://docs.metamask.io/wallet/how-to/sign-data/#use-personal_sign) of the signature text. The signature text is formatted according to version `0x45` of [EIP-191](https://eips.ethereum.org/EIPS/eip-191), and is signed via a recoverable ECDSA signature.
 
 There is currently no way to rotate the keys associated with an Ethereum wallet. In the event that a wallet is compromised, the user must create a new wallet.
 
 **Installation provisioning**
 
-Every new app installation gains messaging access as follows:
+XMTP installations hold a long-lived Ed25519 key-pair (the 'installation key') that is identified via the Ethereum addressing format. The public installation key is used as the `signature_key` in all MLS leaf nodes, and is associated with the account's wallet via a wallet-signed credential. Every new app installation gains messaging access as follows:
 
-1. A new Ed25519 signature key pair is generated and stored on the device, representing the installation's identity.
-2. The app prompts the user to sign the public key with their Ethereum wallet, establishing an association between the installation's identity and the user’s account. Example text:
+1. The new Ed25519 key pair (installation key) is generated and stored on the device.
+2. The app prompts the user to sign the public key with their Ethereum wallet, establishing an association between the installation's identity and the user’s account. The user is expected to inspect the text and reject the signing request if the data is invalid, for example if the `current time` is incorrect. Text format:
 
    ```
    XMTP: Grant Messaging Access
 
-   Current Time: <current time and local timezone>
-   Installation Key: <hex(last_20_bytes(keccak256(Ed25519PublicKey)))>
+   Current Time: <ISO 8601 date and time with local UTC offset>
+   Installation ID: <hex(last_20_bytes(keccak256(Ed25519PublicKey)))>
    ```
 
-3. The following data is protobuf-serialized to form the MLS Credential. The credential can be presented alongside the installation key to prove an association with an account:
+3. The following data is protobuf-serialized to form the MLS Credential:
 
    ```
-   MlsCredential {
-       Eip191Association {
-           association_text_version: i32,
-           signature: bytes,
-           wallet_address: string,
-           creation_time_ns: i64,
-       }
-   }
+   struct {
+        association_text_version: i32,
+        signature: bytes,
+        creation_iso8601_time: string,
+        wallet_address: string,
+   } Eip191Association;
+
+
+   struct {
+       installation_public_key: bytes,
+       eip191_association: Eip191Association
+   } MlsCredential;
    ```
 
-4. A last resort KeyPackage (signed by the installation key per the MLS spec) is generated and stored on the device.
-5. The app publishes the public signing key, credential, and last resort key package to the server, which stores it under the account. Other apps may query for this information to understand that the installation is on the network, associated with the account, and how to contact it.
+4. A last resort KeyPackage (containing the credential and signed by the installation key per the [MLS spec](https://www.rfc-editor.org/rfc/rfc9420.html#name-key-packages)) is generated and stored on the device.
+5. The app publishes the last resort key package to the server. Other apps may query for this information to understand that the installation is on the network, associated with the account, and how to contact it.
 
 **Installation management**
 

From df2023f7161c66769f504f0f0b0b07d96081ac0c Mon Sep 17 00:00:00 2001
From: Richard Hua <rich@rkhua.com>
Date: Thu, 30 Nov 2023 11:57:17 +1100
Subject: [PATCH 03/11] Add context around labels

---
 xmtp_mls/IDENTITY.md | 33 +++++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

diff --git a/xmtp_mls/IDENTITY.md b/xmtp_mls/IDENTITY.md
index 78bd739bc..2a0744e3a 100644
--- a/xmtp_mls/IDENTITY.md
+++ b/xmtp_mls/IDENTITY.md
@@ -24,20 +24,31 @@ Using per-installation keys provides the following benefits:
 - The user may enumerate the installations that have messaging access to their account.
 - The user may revoke keys on a per-installation level.
 
-**Ethereum wallet**
+## Ethereum wallet
 
-Today, an Ethereum wallet consists of a [secp256k1 keypair](https://ethereum.org/en/developers/docs/accounts/#account-creation), and is identified by a a public address, which is the hex-encoding of the last 20 bytes of the Keccak-256 hash of the public key, prepended by `0x`. The user is expected to have a pre-existing Ethereum wallet prior to onboarding with XMTP.
+Today, an Ethereum wallet consists of a secp256k1 keypair, and is identified by a a public address, which is the hex-encoding of the last 20 bytes of the Keccak-256 hash of the public key, prepended by `0x`. The user is expected to have a pre-existing Ethereum wallet prior to onboarding with XMTP.
 
-The owner of a wallet may sign arbitrary text with the wallet. Most wallet software requires explicit [user acceptance](https://docs.metamask.io/wallet/how-to/sign-data/#use-personal_sign) of the signature text. The signature text is formatted according to version `0x45` of [EIP-191](https://eips.ethereum.org/EIPS/eip-191), and is signed via a recoverable ECDSA signature.
+The wallet keys can be used to sign arbitrary text, with most wallet software requiring explicit [user acceptance](https://docs.metamask.io/wallet/how-to/sign-data/#use-personal_sign) of the signature text. The signature text is formatted according to version `0x45` of [EIP-191](https://eips.ethereum.org/EIPS/eip-191), and is signed via a recoverable ECDSA signature.
+
+Wallet signature requests originating from XMTP will additionally prepend context to the EIP-191 `message` field to prevent collisions between signatures in different contexts:
+
+```
+XMTP: <Label>\n\n
+```
+
+| Label                   | Described in section                                    |
+| ----------------------- | ------------------------------------------------------- |
+| Grant messaging access  | [Installation provisioning](#installation-provisioning) |
+| Revoke messaging access | [Installation revocation](#installation-revocation)     |
 
 There is currently no way to rotate the keys associated with an Ethereum wallet. In the event that a wallet is compromised, the user must create a new wallet.
 
-**Installation provisioning**
+## Installation provisioning
 
-XMTP installations hold a long-lived Ed25519 key-pair (the 'installation key') that is identified via the Ethereum addressing format. The public installation key is used as the `signature_key` in all MLS leaf nodes, and is associated with the account's wallet via a wallet-signed credential. Every new app installation gains messaging access as follows:
+XMTP installations hold a long-lived Ed25519 key-pair (the 'installation key') and are identified via the Ethereum addressing format. The public installation key is used as the `signature_key` in all MLS leaf nodes, and is associated with the account's wallet via a wallet-signed credential. Every new app installation gains messaging access as follows:
 
 1. The new Ed25519 key pair (installation key) is generated and stored on the device.
-2. The app prompts the user to sign the public key with their Ethereum wallet, establishing an association between the installation's identity and the user’s account. The user is expected to inspect the text and reject the signing request if the data is invalid, for example if the `current time` is incorrect. Text format:
+2. The app prompts the user to sign the public key with their Ethereum wallet. The user is expected to inspect the text and reject the signing request if the data is invalid, for example if the displayed time is incorrect. Association text version 1 format:
 
    ```
    XMTP: Grant Messaging Access
@@ -46,7 +57,7 @@ XMTP installations hold a long-lived Ed25519 key-pair (the 'installation key') t
    Installation ID: <hex(last_20_bytes(keccak256(Ed25519PublicKey)))>
    ```
 
-3. The following data is protobuf-serialized to form the MLS Credential:
+3. The signature and related data is then protobuf-serialized to form the MLS Credential:
 
    ```
    struct {
@@ -64,15 +75,17 @@ XMTP installations hold a long-lived Ed25519 key-pair (the 'installation key') t
    ```
 
 4. A last resort KeyPackage (containing the credential and signed by the installation key per the [MLS spec](https://www.rfc-editor.org/rfc/rfc9420.html#name-key-packages)) is generated and stored on the device.
-5. The app publishes the last resort key package to the server. Other apps may query for this information to understand that the installation is on the network, associated with the account, and how to contact it.
+5. The app publishes the last resort key package to the server. The server will provide all valid last resort key packages for a given wallet address to any client that requests it.
+
+## Credential validation
 
-**Installation management**
+## Installation revocation
 
 At any time, the user may enumerate active installations by querying for all identity updates under the account. The user may identify each installation by the creation time as well as the installation key from the signing text.
 
 In the event of a compromise, malicious app, or no longer used installation, the user may revoke an installation’s messaging access going forward by signing a revocation payload containing the installation’s identity keys using their wallet and publishing it to the server. This will subsequently be surfaced in the identity update list for clients to validate.
 
-**Authentication service**
+## Authentication service
 
 Unlike in other messaging providers, XMTP accounts are key-pairs. This means that the link between an installation and an account can be achieved via a signature that can be programmatically validated on any client device. There is no need for a centralized service to validate credentials, nor for safety numbers to be shown in apps built on top of XMTP. Additionally, apps built on top of XMTP may choose to layer on decentralized name resolution protocols such as ENS in order to display a user-friendly name.
 

From 35cbbc2bfd6c9fd3a75c79a9dc8755ae70758132 Mon Sep 17 00:00:00 2001
From: Richard Hua <rich@rkhua.com>
Date: Thu, 30 Nov 2023 14:29:43 +1100
Subject: [PATCH 04/11] Add installation revocation and synchronization
 sections

---
 xmtp_mls/IDENTITY.md | 88 ++++++++++++++++++++++++++++++++++++--------
 1 file changed, 72 insertions(+), 16 deletions(-)

diff --git a/xmtp_mls/IDENTITY.md b/xmtp_mls/IDENTITY.md
index 2a0744e3a..61b83a2a8 100644
--- a/xmtp_mls/IDENTITY.md
+++ b/xmtp_mls/IDENTITY.md
@@ -24,9 +24,11 @@ Using per-installation keys provides the following benefits:
 - The user may enumerate the installations that have messaging access to their account.
 - The user may revoke keys on a per-installation level.
 
-## Ethereum wallet
+## Identity lifecycle
 
-Today, an Ethereum wallet consists of a secp256k1 keypair, and is identified by a a public address, which is the hex-encoding of the last 20 bytes of the Keccak-256 hash of the public key, prepended by `0x`. The user is expected to have a pre-existing Ethereum wallet prior to onboarding with XMTP.
+### Ethereum wallet
+
+As of Nov 30 2023, an Ethereum wallet consists of a secp256k1 keypair, and is identified by a public address, which is the hex-encoding of the last 20 bytes of the Keccak-256 hash of the public key, prepended by `0x`. The wallet keys do not expire and are not rotatable - in the event of a compromise, the user must create a new wallet. The user is expected to have a pre-existing Ethereum wallet prior to onboarding with XMTP.
 
 The wallet keys can be used to sign arbitrary text, with most wallet software requiring explicit [user acceptance](https://docs.metamask.io/wallet/how-to/sign-data/#use-personal_sign) of the signature text. The signature text is formatted according to version `0x45` of [EIP-191](https://eips.ethereum.org/EIPS/eip-191), and is signed via a recoverable ECDSA signature.
 
@@ -38,17 +40,15 @@ XMTP: <Label>\n\n
 
 | Label                   | Described in section                                    |
 | ----------------------- | ------------------------------------------------------- |
-| Grant messaging access  | [Installation provisioning](#installation-provisioning) |
+| Grant messaging access  | [Installation registration](#installation-provisioning) |
 | Revoke messaging access | [Installation revocation](#installation-revocation)     |
 
-There is currently no way to rotate the keys associated with an Ethereum wallet. In the event that a wallet is compromised, the user must create a new wallet.
-
-## Installation provisioning
+### Installation registration
 
-XMTP installations hold a long-lived Ed25519 key-pair (the 'installation key') and are identified via the Ethereum addressing format. The public installation key is used as the `signature_key` in all MLS leaf nodes, and is associated with the account's wallet via a wallet-signed credential. Every new app installation gains messaging access as follows:
+XMTP installations consist of a long-lived Ed25519 key-pair (the 'installation key') and are identified via the Ethereum addressing format. The public installation key is used as the `signature_key` in all MLS leaf nodes, and is associated with the account's wallet via a wallet-signed credential. Every new app installation gains messaging access as follows:
 
 1. The new Ed25519 key pair (installation key) is generated and stored on the device.
-2. The app prompts the user to sign the public key with their Ethereum wallet. The user is expected to inspect the text and reject the signing request if the data is invalid, for example if the displayed time is incorrect. Association text version 1 format:
+2. The app prompts the user to sign the public key with their Ethereum wallet. The user is expected to inspect the text and reject the signing request if the data is invalid, for example if the displayed time is incorrect. The format for version 1 of the association text is as follows:
 
    ```
    XMTP: Grant Messaging Access
@@ -63,7 +63,7 @@ XMTP installations hold a long-lived Ed25519 key-pair (the 'installation key') a
    struct {
         association_text_version: i32,
         signature: bytes,
-        creation_iso8601_time: string,
+        iso8601_time: string,
         wallet_address: string,
    } Eip191Association;
 
@@ -75,19 +75,71 @@ XMTP installations hold a long-lived Ed25519 key-pair (the 'installation key') a
    ```
 
 4. A last resort KeyPackage (containing the credential and signed by the installation key per the [MLS spec](https://www.rfc-editor.org/rfc/rfc9420.html#name-key-packages)) is generated and stored on the device.
-5. The app publishes the last resort key package to the server. The server will provide all valid last resort key packages for a given wallet address to any client that requests it.
+5. The app publishes the last resort key package to the server. The server will provide all identity updates (registrations and revocations) for a given wallet address to any client that requests it.
+
+### Credential validation
+
+In XMTP there is no need for a centralized authentication service to validate credentials, nor for safety numbers to be shown in apps built on top of XMTP, as clients can locally validate that a credential is valid.
 
-## Credential validation
+Credential validation must be performed by clients at the [events described by the MLS spec](https://www.rfc-editor.org/rfc/rfc9420.html#name-credential-validation) as follows:
 
-## Installation revocation
+1. Verify that the referenced `installation_public_key` matches the `signature_key` of the leaf node.
+1. Derive the association text using the `association_text_version`, `creation_iso8601_time`, `installation_public_key`, with a label of `Grant Messaging Access`.
+1. Recover the wallet public key from the recoverable ECDSA `signature` on the association text.
+1. Derive the wallet address from the public key and verify that it matches the `wallet_address` on the association.
 
-At any time, the user may enumerate active installations by querying for all identity updates under the account. The user may identify each installation by the creation time as well as the installation key from the signing text.
+### Installation revocation
 
-In the event of a compromise, malicious app, or no longer used installation, the user may revoke an installation’s messaging access going forward by signing a revocation payload containing the installation’s identity keys using their wallet and publishing it to the server. This will subsequently be surfaced in the identity update list for clients to validate.
+_Note: Revocation is not scheduled to be built until Q2 2024 or later_
+
+Users may revoke an installation as follows:
+
+1. Enumerate active installations by querying for all identity updates under the account. The user may identify each installation by the creation time as well as the installation public key of the credential.
+1. Select the installation to revoke.
+1. The app prompts the user to sign the revocation with their Ethereum wallet. The user is expected to inspect the text and reject the signing request if the data is invalid, for example if the displayed time is incorrect. The format for version 1 of the association text is as follows:
+
+   ```
+   XMTP: Revoke Messaging Access
 
-## Authentication service
+   Current Time: <ISO 8601 date and time with local UTC offset>
+   Installation ID: <hex(last_20_bytes(keccak256(Ed25519PublicKey)))>
+   ```
 
-Unlike in other messaging providers, XMTP accounts are key-pairs. This means that the link between an installation and an account can be achieved via a signature that can be programmatically validated on any client device. There is no need for a centralized service to validate credentials, nor for safety numbers to be shown in apps built on top of XMTP. Additionally, apps built on top of XMTP may choose to layer on decentralized name resolution protocols such as ENS in order to display a user-friendly name.
+1. The signature and related data is then protobuf-serialized to form the revocation:
+
+   ```
+   struct {
+       installation_public_key: bytes,
+       eip191_association: Eip191Association
+   } InstallationRevocation;
+   ```
+
+1. The app publishes the revocation to the server. The server will provide all identity updates (registrations and revocations) for a given wallet address to any client that requests it.
+
+Validation of revocations is identical to the process described in [Credential Validation](#credential-validation), except that a label of `Revoke Messaging Access` is used.
+
+Once an installation is revoked, it cannot be re-registered or re-provisioned. The time displayed on the revocation is for informational purposes only.
+
+### Installation synchronization
+
+At any time in the course of a conversation, the list of valid installations for the participating wallet addresses may change via registration or revocation.
+
+Clients must perform the following validation prior to publishing each payload on the group:
+
+1. Assemble a list of wallet addresses in the conversation from the leaf nodes.
+1. Fetch all identity updates on those wallet addresses, and construct a list of valid installations.
+1. Remove nodes from the conversation that are not in the list of valid installations.
+1. Add nodes to the conversation that are in the list of valid installations and not already present.
+
+Clients must perform the following validation on receiving each payload in the group:
+
+1. Query the server for identity updates on the sending wallet address and verify that the sending installation has not been revoked.
+
+XMTP clients may perform performance optimizations, such as caching installation lists with a short TTL.
+
+An open area of investigation is ensuring transcript consistency in the face of revoked clients. If the server can maintain a strict ordering between revocations and payloads in the conversations (such as commits performed by the revoked clients), then all participants may apply the updates in a consistent way.
+
+### Delivery service and server trust
 
 Although registrations and revocations cannot be forged, we currently rely on trust in centralized XMTP servers not to maliciously hide installation registration and revocation payloads from clients that request them. Current decentralization efforts within XMTP will eventually produce a trustless public immutable record of registrations and revocations that does not rely on any single entity.
 
@@ -105,3 +157,7 @@ The latter can be addressed using the mechanism described in the earlier section
 **Mapping from conversations to accounts**
 
 Will add this in next PR.
+
+Clients must perform the following validation when a member is added:
+
+Clients must perform the following validation when a member is removed:

From 894ac63c22bd68e502cc04fd5faa26a955bf6378 Mon Sep 17 00:00:00 2001
From: Richard Hua <rich@rkhua.com>
Date: Thu, 30 Nov 2023 14:57:38 +1100
Subject: [PATCH 05/11] Add server trust section

---
 xmtp_mls/IDENTITY.md | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/xmtp_mls/IDENTITY.md b/xmtp_mls/IDENTITY.md
index 61b83a2a8..41de2c97c 100644
--- a/xmtp_mls/IDENTITY.md
+++ b/xmtp_mls/IDENTITY.md
@@ -131,17 +131,24 @@ Clients must perform the following validation prior to publishing each payload o
 1. Remove nodes from the conversation that are not in the list of valid installations.
 1. Add nodes to the conversation that are in the list of valid installations and not already present.
 
-Clients must perform the following validation on receiving each payload in the group:
+XMTP clients may perform performance optimizations, such as caching installation lists with a short TTL.
+
+To support revocations (Q2+ 2024), clients must additionally perform the following validation on receiving each payload in the group:
 
 1. Query the server for identity updates on the sending wallet address and verify that the sending installation has not been revoked.
 
-XMTP clients may perform performance optimizations, such as caching installation lists with a short TTL.
+An open area of investigation is ensuring transcript consistency in the face of revoked clients. If the server can maintain a strict ordering between revocations and payloads in the conversation (especially commits performed by the revoked clients), then all participants can achieve consensus on whether a payload from the revoked client should be applied or not.
+
+### Server trust
 
-An open area of investigation is ensuring transcript consistency in the face of revoked clients. If the server can maintain a strict ordering between revocations and payloads in the conversations (such as commits performed by the revoked clients), then all participants may apply the updates in a consistent way.
+We currently rely on trust in centralized XMTP servers, which could do the following if malicious.
 
-### Delivery service and server trust
+1. **Selectively omit payloads**. A malicious server could hide registrations (and application messages) from valid installations in order to censor them, or revocations for invalid installations in order to prevent post-compromise recovery.
+   - Decentralization efforts within XMTP aim to produce an immutable log of these events (H1 2024).
+1. **Reorder payloads**. A malicious server could reorder messages and commits within a conversation.
+   - Decentralization efforts within XMTP aim to produce a consensus-driven ordering of commits at minimum (H2+ 2024).
 
-Although registrations and revocations cannot be forged, we currently rely on trust in centralized XMTP servers not to maliciously hide installation registration and revocation payloads from clients that request them. Current decentralization efforts within XMTP will eventually produce a trustless public immutable record of registrations and revocations that does not rely on any single entity.
+Note, however, that a malicious server is unable to forge payloads due to the use of digital signatures.
 
 ## Synchronizing MLS group membership
 

From 5ab26c7f0d15ee0c8a687618e009eeeb2d00eb11 Mon Sep 17 00:00:00 2001
From: Richard Hua <rich@rkhua.com>
Date: Thu, 30 Nov 2023 16:12:06 +1100
Subject: [PATCH 06/11] Update account-level membership section

---
 xmtp_mls/IDENTITY.md | 36 ++++++++++++++++--------------------
 1 file changed, 16 insertions(+), 20 deletions(-)

diff --git a/xmtp_mls/IDENTITY.md b/xmtp_mls/IDENTITY.md
index 41de2c97c..4374e5a28 100644
--- a/xmtp_mls/IDENTITY.md
+++ b/xmtp_mls/IDENTITY.md
@@ -75,7 +75,7 @@ XMTP installations consist of a long-lived Ed25519 key-pair (the 'installation k
    ```
 
 4. A last resort KeyPackage (containing the credential and signed by the installation key per the [MLS spec](https://www.rfc-editor.org/rfc/rfc9420.html#name-key-packages)) is generated and stored on the device.
-5. The app publishes the last resort key package to the server. The server will provide all identity updates (registrations and revocations) for a given wallet address to any client that requests it.
+5. The app publishes the last resort key package to the server, which implicitly serves as a registration. The server will provide all identity updates (registrations and revocations) for a given wallet address to any client that requests it.
 
 ### Credential validation
 
@@ -127,9 +127,10 @@ At any time in the course of a conversation, the list of valid installations for
 Clients must perform the following validation prior to publishing each payload on the group:
 
 1. Assemble a list of wallet addresses in the conversation from the leaf nodes.
-1. Fetch all identity updates on those wallet addresses, and construct a list of valid installations.
-1. Remove nodes from the conversation that are not in the list of valid installations.
-1. Add nodes to the conversation that are in the list of valid installations and not already present.
+1. Fetch all identity updates on those wallet addresses.
+1. Validate the credentials and revocations and construct a list of valid installations (registered installations minus revoked installations).
+1. Publish a commit to remove nodes from the conversation that are not in the list of valid installations.
+1. Publish a commit to add nodes to the conversation that are in the list of valid installations and not already present.
 
 XMTP clients may perform performance optimizations, such as caching installation lists with a short TTL.
 
@@ -143,28 +144,23 @@ An open area of investigation is ensuring transcript consistency in the face of
 
 We currently rely on trust in centralized XMTP servers, which could do the following if malicious.
 
-1. **Selectively omit payloads**. A malicious server could hide registrations (and application messages) from valid installations in order to censor them, or revocations for invalid installations in order to prevent post-compromise recovery.
-   - Decentralization efforts within XMTP aim to produce an immutable log of these events (H1 2024).
+1. **Omit payloads**. A malicious server could hide registrations (and application messages) from valid installations in order to censor them, or revocations for invalid installations in order to prevent post-compromise recovery.
+   - Decentralization efforts within XMTP aim to produce an immutable log of identity updates (H1 2024), with immutability of conversation payloads coming later.
 1. **Reorder payloads**. A malicious server could reorder messages and commits within a conversation.
    - Decentralization efforts within XMTP aim to produce a consensus-driven ordering of commits at minimum (H2+ 2024).
 
-Note, however, that a malicious server is unable to forge payloads due to the use of digital signatures.
+Note, however, that a malicious server is unable to forge registration and revocation payloads without access to the wallet keys used to sign them.
 
-## Synchronizing MLS group membership
+## Account-level membership
 
-At the user level, messages are exchanged between accounts, however at the cryptographic level, messages are exchanged between installations. This poses the question of how MLS group membership can be kept up-to-date as installations are registered and revoked and members are added and removed. This requires two components which will be addressed in reverse order:
+At the user level, messages are exchanged between accounts, however at the cryptographic level, messages are exchanged between installations. Because of this two-layer system, there must exist a mechanism for mapping between accounts and installations in a conversation.
 
-1. How to know which accounts are members of a group
-2. How to know which installations belong to each account
+We use an implicit mapping - an account is considered a participant of a conversation if one or more installations from the account are present in the tree.
 
-**Mapping from accounts to installations**
+- **Listing accounts**. To list accounts, we enumerate unique wallet addresses from the credentials of the leaf nodes in the conversation.
+- **Adding accounts**. To add an account, publish a commit adding one or more installations belonging to the account to the conversation. Note that if we fail to include all valid installations belonging to the account, it will be resolved via the process described in [Installation Synchronization](#installation-synchronization).
+- **Removing accounts**. To remove an account, publish a commit removing _all_ installations belonging to the account from the conversation. It is important that all installations belonging to the account that are present in the tree during the epoch in which the commit is published are removed, and we ensure this is the case by enforcing linear ordering of epochs.
 
-The latter can be addressed using the mechanism described in the earlier section - any participant in a conversation can query for updates on any account in the conversation and construct the current list of valid installations. If the current installation list does not match what is in the group, the participant may add or remove installations in the group to match the latest state, and all other participants may perform the same verification. This can be performed at any frequency (for example before every message send), with various performance optimizations possible.
+### Other approaches
 
-**Mapping from conversations to accounts**
-
-Will add this in next PR.
-
-Clients must perform the following validation when a member is added:
-
-Clients must perform the following validation when a member is removed:
+Account/user trees are another approach for solving this problem, however we assume the complexity of managing key packages and welcome messages in this system is higher than the current system, and have therefore deferred this. We are open to feedback otherwise!

From c7f7667f8a0dcb61c9034754f83e8a20e0e7dd66 Mon Sep 17 00:00:00 2001
From: Richard Hua <rich@rkhua.com>
Date: Thu, 30 Nov 2023 16:14:08 +1100
Subject: [PATCH 07/11] Tweak

---
 xmtp_mls/IDENTITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xmtp_mls/IDENTITY.md b/xmtp_mls/IDENTITY.md
index 4374e5a28..a5f015c8c 100644
--- a/xmtp_mls/IDENTITY.md
+++ b/xmtp_mls/IDENTITY.md
@@ -28,7 +28,7 @@ Using per-installation keys provides the following benefits:
 
 ### Ethereum wallet
 
-As of Nov 30 2023, an Ethereum wallet consists of a secp256k1 keypair, and is identified by a public address, which is the hex-encoding of the last 20 bytes of the Keccak-256 hash of the public key, prepended by `0x`. The wallet keys do not expire and are not rotatable - in the event of a compromise, the user must create a new wallet. The user is expected to have a pre-existing Ethereum wallet prior to onboarding with XMTP.
+As of Nov 30 2023, an Ethereum wallet consists of a secp256k1 keypair, and is identified by a public address, which is the hex-encoding of the last 20 bytes of the Keccak-256 hash of the public key, prepended by `0x`. Wallet keys do not expire and are not rotatable - in the event of a compromise, the user must create a new wallet. The user is expected to have a pre-existing Ethereum wallet prior to onboarding with XMTP.
 
 The wallet keys can be used to sign arbitrary text, with most wallet software requiring explicit [user acceptance](https://docs.metamask.io/wallet/how-to/sign-data/#use-personal_sign) of the signature text. The signature text is formatted according to version `0x45` of [EIP-191](https://eips.ethereum.org/EIPS/eip-191), and is signed via a recoverable ECDSA signature.
 

From f94a3c25523521841c7b749b2e6fa2ccc9128949 Mon Sep 17 00:00:00 2001
From: Richard Hua <rich@rkhua.com>
Date: Thu, 30 Nov 2023 16:23:30 +1100
Subject: [PATCH 08/11] Fix link

---
 xmtp_mls/IDENTITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xmtp_mls/IDENTITY.md b/xmtp_mls/IDENTITY.md
index a5f015c8c..0ef2f23e7 100644
--- a/xmtp_mls/IDENTITY.md
+++ b/xmtp_mls/IDENTITY.md
@@ -40,7 +40,7 @@ XMTP: <Label>\n\n
 
 | Label                   | Described in section                                    |
 | ----------------------- | ------------------------------------------------------- |
-| Grant messaging access  | [Installation registration](#installation-provisioning) |
+| Grant messaging access  | [Installation registration](#installation-registration) |
 | Revoke messaging access | [Installation revocation](#installation-revocation)     |
 
 ### Installation registration

From 18c7f93e7dfde34bca2d2dd00309d8995599f1c2 Mon Sep 17 00:00:00 2001
From: Richard Hua <rich@rkhua.com>
Date: Mon, 4 Dec 2023 09:45:35 +1100
Subject: [PATCH 09/11] Update revocation approach

---
 xmtp_mls/IDENTITY.md | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/xmtp_mls/IDENTITY.md b/xmtp_mls/IDENTITY.md
index 0ef2f23e7..716070575 100644
--- a/xmtp_mls/IDENTITY.md
+++ b/xmtp_mls/IDENTITY.md
@@ -79,15 +79,18 @@ XMTP installations consist of a long-lived Ed25519 key-pair (the 'installation k
 
 ### Credential validation
 
-In XMTP there is no need for a centralized authentication service to validate credentials, nor for safety numbers to be shown in apps built on top of XMTP, as clients can locally validate that a credential is valid.
+Apps built on XMTP have a reduced need for safety numbers to be shown, as clients can locally validate that a credential is valid.
 
 Credential validation must be performed by clients at the [events described by the MLS spec](https://www.rfc-editor.org/rfc/rfc9420.html#name-credential-validation) as follows:
 
+1. Verify that the referenced `installation_public_key` has not been revoked (see [Installation revocation](#installation-revocation)).
 1. Verify that the referenced `installation_public_key` matches the `signature_key` of the leaf node.
 1. Derive the association text using the `association_text_version`, `creation_iso8601_time`, `installation_public_key`, with a label of `Grant Messaging Access`.
 1. Recover the wallet public key from the recoverable ECDSA `signature` on the association text.
 1. Derive the wallet address from the public key and verify that it matches the `wallet_address` on the association.
 
+Currently, verifying revocations require a degree of server trust, however this is not the long-term goal - see [Server trust](#server-trust).
+
 ### Installation revocation
 
 _Note: Revocation is not scheduled to be built until Q2 2024 or later_
@@ -115,16 +118,19 @@ Users may revoke an installation as follows:
    ```
 
 1. The app publishes the revocation to the server. The server will provide all identity updates (registrations and revocations) for a given wallet address to any client that requests it.
+1. The installation performing the revocation enumerates all known groups that it is a member of, and submits proposals to remove the revoked installation. Additional removals may also occur via the process described in [Installation synchronization](#installation-synchronization).
 
-Validation of revocations is identical to the process described in [Credential Validation](#credential-validation), except that a label of `Revoke Messaging Access` is used.
+Validation of revocation payloads is identical to the process described in [Credential Validation](#credential-validation), except that a label of `Revoke Messaging Access` is used.
 
 Once an installation is revoked, it cannot be re-registered or re-provisioned. The time displayed on the revocation is for informational purposes only.
 
+Revocations may not apply immediately on all groups. In order to ensure transcript consistency, payloads from revoked installations are considered valid if they were published before the installation was removed from the group.
+
 ### Installation synchronization
 
 At any time in the course of a conversation, the list of valid installations for the participating wallet addresses may change via registration or revocation.
 
-Clients must perform the following validation prior to publishing each payload on the group:
+Clients must perform the following validation prior to publishing each payload on the group, as well as periodically:
 
 1. Assemble a list of wallet addresses in the conversation from the leaf nodes.
 1. Fetch all identity updates on those wallet addresses.
@@ -134,10 +140,6 @@ Clients must perform the following validation prior to publishing each payload o
 
 XMTP clients may perform performance optimizations, such as caching installation lists with a short TTL.
 
-To support revocations (Q2+ 2024), clients must additionally perform the following validation on receiving each payload in the group:
-
-1. Query the server for identity updates on the sending wallet address and verify that the sending installation has not been revoked.
-
 An open area of investigation is ensuring transcript consistency in the face of revoked clients. If the server can maintain a strict ordering between revocations and payloads in the conversation (especially commits performed by the revoked clients), then all participants can achieve consensus on whether a payload from the revoked client should be applied or not.
 
 ### Server trust

From 1c0b6b4fce73910bd8a47535bb0f9e2f1f342d82 Mon Sep 17 00:00:00 2001
From: Richard Hua <rich@rkhua.com>
Date: Mon, 4 Dec 2023 10:16:13 +1100
Subject: [PATCH 10/11] Remove paragraph about strict ordering

---
 xmtp_mls/IDENTITY.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/xmtp_mls/IDENTITY.md b/xmtp_mls/IDENTITY.md
index 716070575..48b27306f 100644
--- a/xmtp_mls/IDENTITY.md
+++ b/xmtp_mls/IDENTITY.md
@@ -140,8 +140,6 @@ Clients must perform the following validation prior to publishing each payload o
 
 XMTP clients may perform performance optimizations, such as caching installation lists with a short TTL.
 
-An open area of investigation is ensuring transcript consistency in the face of revoked clients. If the server can maintain a strict ordering between revocations and payloads in the conversation (especially commits performed by the revoked clients), then all participants can achieve consensus on whether a payload from the revoked client should be applied or not.
-
 ### Server trust
 
 We currently rely on trust in centralized XMTP servers, which could do the following if malicious.

From cd50cc98be46931fad5a249611b6359d672c8c88 Mon Sep 17 00:00:00 2001
From: Richard Hua <rich@rkhua.com>
Date: Wed, 6 Dec 2023 10:24:27 +1100
Subject: [PATCH 11/11] Clarify that installation key should not be used
 outside of MLS

---
 xmtp_mls/IDENTITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xmtp_mls/IDENTITY.md b/xmtp_mls/IDENTITY.md
index 48b27306f..97170eb30 100644
--- a/xmtp_mls/IDENTITY.md
+++ b/xmtp_mls/IDENTITY.md
@@ -45,7 +45,7 @@ XMTP: <Label>\n\n
 
 ### Installation registration
 
-XMTP installations consist of a long-lived Ed25519 key-pair (the 'installation key') and are identified via the Ethereum addressing format. The public installation key is used as the `signature_key` in all MLS leaf nodes, and is associated with the account's wallet via a wallet-signed credential. Every new app installation gains messaging access as follows:
+XMTP installations consist of a long-lived Ed25519 key-pair (the 'installation key') and are identified via the Ethereum addressing format. The public installation key is used as the `signature_key` in all MLS leaf nodes and nowhere else, and is associated with the account's wallet via a wallet-signed credential. Every new app installation gains messaging access as follows:
 
 1. The new Ed25519 key pair (installation key) is generated and stored on the device.
 2. The app prompts the user to sign the public key with their Ethereum wallet. The user is expected to inspect the text and reject the signing request if the data is invalid, for example if the displayed time is incorrect. The format for version 1 of the association text is as follows: