<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-robert-mimi-attachments-06" category="info" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="MIMI">MIMI Attachments</title>
    <seriesInfo name="Internet-Draft" value="draft-robert-mimi-attachments-06"/>
    <author initials="R." surname="Robert" fullname="Raphael Robert">
      <organization>Phoenix R&amp;D</organization>
      <address>
        <email>ietf@raphaelrobert.com</email>
      </address>
    </author>
    <author initials="K." surname="Kohbrok" fullname="Konrad Kohbrok">
      <organization>Phoenix R&amp;D</organization>
      <address>
        <email>konrad.kohbrok@datashrine.de</email>
      </address>
    </author>
    <date year="2026" month="June" day="29"/>
    <area>Security</area>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 24?>

<t>This document describes MIMI Attachments.</t>
    </abstract>
  </front>
  <middle>
    <?line 28?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Attachments are known from email, where they are used to attach files to an
email message. Attachments are also used in instant messaging, where they are
used to attach files, images, videos, etc.</t>
      <t>The main difference between attachments and other messages is that attachments
are bigger in size and their content is typically saved in files on the client
side. Since downloading attachments can be expensive for instant messaging
clients, it is common to download attachments only on demand, e.g. when the user
clicks on the attachment.</t>
      <t>draft-mimi-content defines various message content formats that can be used in
either MLS application messages or attachments. This document describes how
attachments are used in MIMI.</t>
      <section anchor="change-log">
        <name>Change Log</name>
        <t>draft-01</t>
        <ul spacing="normal">
          <li>
            <t>Version bump to prevent expiration</t>
          </li>
        </ul>
        <t>draft-02</t>
        <ul spacing="normal">
          <li>
            <t>Version bump to prevent expiration</t>
          </li>
        </ul>
        <t>draft-03</t>
        <ul spacing="normal">
          <li>
            <t>Version bump to prevent expiration</t>
          </li>
        </ul>
        <t>draft-04</t>
        <ul spacing="normal">
          <li>
            <t>Version bump to prevent expiration</t>
          </li>
        </ul>
        <t>draft-05</t>
        <ul spacing="normal">
          <li>
            <t>Version bump to prevent expiration</t>
          </li>
        </ul>
        <t>draft-06</t>
        <ul spacing="normal">
          <li>
            <t>Version bump to prevent expiration</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="access-control-quotas">
      <name>Access control &amp; quotas</name>
      <t>Attachments are bound to a specific MLS group. Only members of the group can
access the attachment. The Delivery Service enforces this access control.</t>
      <t>The Delivery Service can keep track of the size of attachments for each group,
its total number, who uploaded them, etc. This information can be used to
enforce quotas on the size of attachments, the number of attachments, etc.</t>
    </section>
    <section anchor="distribution">
      <name>Distribution</name>
      <t>Since attachments are not directly distributed as messages, they are distributed
over the MIMI Delivery Service.</t>
      <section anchor="uploading-attachments">
        <name>Uploading attachments</name>
        <t>When a client wants to send an attachment, it first uploads the attachment to
the Delivery Service. The Delivery Service returns a token that can be used to
download the attachment. The client then sends a message that contains the URL
and cryptographic key material to the intended recipients.</t>
        <t>TODO: This probably become part of <em>draft-robert-mimi-delivery-service</em>.</t>
        <t>The client first encrypts the attachment as descibed in <xref target="encryption"/> and then
uploads it to the DS using the following message:</t>
        <sourcecode type="tls"><![CDATA[
struct {
  opaque group_id<V>;
  opaque content<V>;
} UploadAttachmentRequest;
]]></sourcecode>
        <t>Upon succes, the Delivery Service returns the following message:</t>
        <sourcecode type="tls"><![CDATA[
struct {
  opaque token<V>;
} UploadAttachmentResponse;
]]></sourcecode>
      </section>
      <section anchor="sending-attachments">
        <name>Sending attachments</name>
        <t>Once clients have uploaded an attachment to the Delivery Service, they can send
messages that contain a reference to the attachment. The client sets the
contentType of the body as follows:</t>
        <sourcecode type="tls"><![CDATA[
body.contentType = "message/external-body; access-type=token;" +
  "token=<token>; nonce=<nonce>; hash=<hash>";
]]></sourcecode>
        <t>The token is the token that was received from the Delivery Service as part of
the UploadAttachmentResponse message. The nonce is a random byte sequence that
is used in the key derivation descibed in <xref target="encryption"/>. The hash is the hash
of the plaintext attachment content, as defined in <xref target="encryption"/>. The hash acts
as a commitment hash for the attachment content.</t>
        <t>TODO: This needs to be better aligned with draft-ietf-mimi-content.</t>
      </section>
      <section anchor="receiving-attachments">
        <name>Receiving attachments</name>
        <t>When a client receives a message that contains a reference to an attachment, it
first downloads the attachment from the Delivery Service using the following
message:</t>
        <sourcecode type="tls"><![CDATA[
struct {
  opaque group_id<V>;
  opaque token<V>;
} DownloadAttachmentRequest;
]]></sourcecode>
        <t>Upon succes, the Delivery Service returns the following message:</t>
        <sourcecode type="tls"><![CDATA[
struct {
  opaque content<V>;
} DownloadAttachmentResponse;
]]></sourcecode>
        <t>The client then decrypts the attachment using the nonce for the key derivation
 described in <xref target="encryption"/>.</t>
      </section>
      <section anchor="deleting-attachments">
        <name>Deleting attachments</name>
        <t>Attachments can either be deleted by members of the group (according to a
predefined policy), or by the Delivery Service after a predefined time.</t>
      </section>
      <section anchor="access-control">
        <name>Access control</name>
        <t>Attachments are bound to a specific MLS group. Only members of the group can
access the attachment. The Delivery Service enforces this access control.</t>
        <t>Attachments can however be shared between groups by either re-uploading the
attachment to the Delivery Service or by asking the Delivery Service to copy an
attachment to another group. Copying an attachment to another group is only
possible if both groups are located on the same Delivery Service, and the user
has access to both groups. It is an optimization to avoid re-uploading the same
attachment multiple times, but otherwise follows the same rules as uploading a
new attachment.</t>
      </section>
      <section anchor="encryption">
        <name>Encryption</name>
        <t>Attachments are encrypted using a nonce/key pair that is exported from the MLS
group exporter and combined with a randomly generated byte sequence on the
sender's side, and context data.</t>
        <artwork><![CDATA[
struct {
   opaque attachment_hash;
   uint64 sender_index;
} AttachmentContext;
]]></artwork>
        <t>Since attachments are specific to an MLS group, we reuse components the cipher
suite of the group:</t>
        <ul spacing="normal">
          <li>
            <t>KDF</t>
          </li>
          <li>
            <t>Hash</t>
          </li>
          <li>
            <t>AEAD</t>
          </li>
          <li>
            <t>ExpandWithLabel</t>
          </li>
        </ul>
        <t>The sender encrypts the attachment as follows:</t>
        <ul spacing="normal">
          <li>
            <t>Compute the hash of the attachment data:</t>
          </li>
        </ul>
        <artwork><![CDATA[
attachment_hash = Hash(plaintext)
]]></artwork>
        <ul spacing="normal">
          <li>
            <t>Generate a random byte sequence <tt>nonce</tt> of length <tt>KDF.Nh</tt> bytes.</t>
          </li>
          <li>
            <t>Set the context to the following values: <tt>AttachmentContext.hash</tt>
to the previously computed <tt>attachment_hash</tt> and
<tt>AttachmentContext.sender_index</tt> to the leaf index of the sender in the group.</t>
          </li>
          <li>
            <t>Compute a secret <tt>attachment_exporter_secret</tt> from the MLS group
exporter using the previously computed context and extracts
<tt>attachment_secret</tt> from it and the nonce:</t>
          </li>
        </ul>
        <artwork><![CDATA[
attachment_exporter_secret =
   MLS-Exporter("MIMI attachment", context, KDF.Nh)

attachment_secret =
   KDF.Extract(attachment_exporter_secret, nonce)
]]></artwork>
        <ul spacing="normal">
          <li>
            <t>Compute the nonce/key pair:</t>
          </li>
        </ul>
        <artwork><![CDATA[
attachment_nonce =
   ExpandWithLabel(attachment_secret, "nonce", "", AEAD.Nn)

attachment_key =
   ExpandWithLabel(attachment_secret, "key", "", AEAD.Nk)
]]></artwork>
        <ul spacing="normal">
          <li>
            <t>Encrypt the attachment using the key/nonce pair.</t>
          </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>








  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA81Ya28buRX9zl9B2MCus5UUN90GqBwHa8RuGyTZFHay+6Eo
LM4MJRGaGc6SHMnaIPntPZfkvPTYjfulGyAeSSTv89xzL2c8HjOnXC6n/N3r
d6/5lXMiXRaydJaJJDFyHRZYptNSFNiWGTF3Y6MTady4UIUai+7M+Pw5S4WT
C222U67KuWZMVWbKnamte3Z+/rfzZ0wYKab8Tqa1UW7LVnK70Sab8telk6aU
bnxNKhizTpTZvch1CbVbaVmlpvzfTqcjbrVxRs4tPm0L+vAfxkTtltpMGR9z
aLZTfjvht95MxvEvWH8rqqWQeX9Bm4Uo1a/CKV1O+b+WWpbqgd9+c+1XZSFU
Dlekm/9gwuHg+yTVRafrzYS/0cvE6FVP2RtdGpENFr5K2cqfm6zCuR8y4YRd
GlXKSSYZG4/HXCTWGZEiSB+WynIkp6b480za1KhE2r1sTsLBQmVZDiGnFG2j
szolSxjr7eTID1+VelPyudFFMGrEN0uJ391Sbv2G2sqMO81D8vlc5VBK30vm
D/BCWisWcsJ3RYvc6nBclRQ8ZNnF3apc7CpihxSNuCogG8+1yqTGU7p0QsGQ
HMpLnqn5HFLKVPJEuo2UJRd9M8qMa2gwjZWWI4puKVx/GwGVJ2qxwD7ItOpX
6U/ioDI81YArLKeD20qlIs+33Ip18CvEQ5e0mae5wk5mYeuE3ymyKkN4cy0y
eDywLBUlLObyoZKlVWvJ59rsB4kFiRQHbwCgWJAu3codCNUlTMN6hsyUGYI1
WUwozME6BNiQwHTVGtwdRlBDwftKb3zO5BxotHwtjNK1baLYxgRGF8LFiEaX
YsaZVD7w797ecVFVUOtroUsE/O3ZPuHHAL7UGyZ2oNWgisAPy09POX+1FCUs
e6sXjSfnf0Yp8J+ksaQ3qYuKAleB6kgBIq+MCEUR9z975P6/PHL/94/c/9dH
7n/+tftP+VWaIg8+j0bn/Bv+S61BPvv8kOi6DGXJbSVTNVepT+nC6Lqa8PeE
uEIWIEpkdO5B5ZcIDUwELTtI41S91zIH6s0W7cGsFQpFooeYlLiFcCAG9sWK
3ztDiFtJCT/BkatGv69ffO6DhqpLEq1440ZMEWjhcc7LmownNgJZVVRS0ld+
EbgmwJIaHCGdAtuHudMs2h0D2BTWARtGfiGo21sKtHbKrxX4XiV1yFOgkF3w
lxrloYxMHWKfNQdgjWgLNCgLBN7bwTTC583wXWM3nqGSPlYH+Iqxn4lGRKQ4
vhGljyC3EvAQfdb1XDVXxroYz10AUNTcgXQeAYaRrjYlXMe5laeyHa6BuJYN
D0EtmuzIATKXRDVEFoQBZWgmwc6Pt28ZkX9qtpXTCxoFAHnMLmg4GFsUIAO3
aaciDiS0IBWqUrH5fnh//X4aUFNhgBAJkpRIELfklTCOMv/d/miVRa/HNnj9
XYR8tD2EE22OjNqLJ/JOdAm29KT46VPcCAx9/tx0spI12VCu8eD6DhGkTNOX
uc5zvaFvMThTxr58+eJyiwHNYH7gnzC76Er8Uscav1fZi59eXnS/xrbgf/wc
gdQRyq3EHusuSCpjHyuUiq2pzkNlHE38o43zODlqhIViK6MVwPsdkriH9vdU
eLH58iWafccNA7C3kdwxPtYfwZQgx9qu1wcccIiRNo4vUdAR8FoZ0s5iiD9s
K9nwXaKzLWEgxMh2kaGFSf/AJT+JhjyVDzSDi3xMmy4i344x4MhLH76LE/4n
RPTEf7l84R8vL8A9sPXyhX/g6xLz6uUL+vvyJEaUjA6FqkLqelW7gZUoFqlo
ePIz58HEY1csFc8Tx1LYTZ6k05tEOhFUQB6yk60DERPofHxhAMNyMzqQZKrq
DDW9Dsx+vIiCCvKz8Yo+s5iAKhfEBQ/9obKphVGoThqjflsuhnwMomQ+DXnK
eSF+hXrXTsVH4UO6KaXMPCcnfhhGfjGCqwUp3mAWixc6uuAMhrzA+rc+Lb/D
+jF3xwl0B9B7fYEFImvoeo/JjmPiAE+x/5mn+gRxHW35P/DUkC4PGTLgqt1e
lsnD7aALVaiJBj9DtLN2xD6ES48JeCrdHiSudm4xcc4H6DLaD3HJkZHwDCyj
jSdbAgfDaNpURqVxQdg+GdGtAMcP08LcQ5r3jjlVxKllOND+cefY3ejhdiPX
IXx2CUOz9h7r1VuKRoywkeO6nc2oF/x+G4rhFHbVQGJvB06mutrSfX4oT5Th
5hwj9AqbPBZ2299gH9Ej3UJZpa1VSQ5GniP2btm4Q7nINb06ytpZWRSHGmic
W8K1dSnaWBLBdQIn/LW/GcMsDfAW8ZWLN2ytVbYXNa+u72pR505VsJTAhBrH
pBzeGWyUbQradoaami78MKeTKlgpN8O7NBB509bTPhpjrSEGoVhFKNWnVKKV
UCbQKtzCrU0b1++WAC0LoY5rxkcKTSNRLdU3PRCgXshSGhHKst8PQ/AZTSfS
fGs5vbQYRVGhmdHrqImnrz53NeTVuXtPXYrYlddog8+/50HmvcLfB2K2zvtX
QXQktMPXm7Y8QwNpixRXNOJawIGcBTH6E/61i6qQLmZr5eSgeEG+fMzfXP+d
Hv+kjo3n1c3VNT1vHip4+zPC9VYkEpTh6znY/lujdjdmQcgrWIKbVTsSNOp7
RyiMoQuwnZhhHiOjztr54UmIC+T+I2bt2DQz83iZkbpclgukfAY3Jz8uZ34j
LiIQciddiE9MaCSJrketRY5ON+WzvQxNyL4ZiyfoHQK9/wGc0uBwxmc7zswI
O+yApD4aZo0NuRRz7n9qb+0h8HEyC6TTjzB4G/0OHvUVNyVwH9ZmgzIJQgiX
baV0rfGQS02cqAjwNH4kw/G+xoEi5VqW8vnYT/OOgfyS5MG28U1cODvxV/Hu
yMmosWPEQ0qfMLZnQBBE6zfB0LPjSkfBuA5cfdAOeWffgTBCeG07BXO2Z9SI
n/jtcOEE/6nQJj+WQ/NJ01dLw+aBrFXnQ2TX47MPzj4NxpNj4LH/AnreABQC
GQAA

-->

</rfc>
