Richard Barnes

In interop testing, @mulmarta discovered that `State::handle_branch` will accept a Welcome containing a PSK with usage `reinit`. We should tighten up the validation rules to preclude this. And likely also...

As a result of #262, API changes made it difficult to support inline proposals in the interop harness. We should re-enable inline proposals, either by updating the gRPC interface to...

The `RatchetType` enum in `key_schedule.h` is unnecessary. Callers should switch on `ContentType`; storage should just directly have handshake and application ratchets instead of an `std::map`.

Signed objects, especially GroupInfo and KeyPackage, are used in basically two ways: 1. Instantiate => sign => serialize 2. Deserialize => verify => instantiate Given that, it seems like we...

As the MLS spec finalizes, we are about to be doing a bunch of interop testing with other implementations. To facilitate debugging inevitable interop problems, we should add logging of...

Two halves to this: * Send the supported_versions and supported_ciphersuites extensions * When initializing a group, verify that the chosen version/suite is the highest supported

Support raw public keys (RFC 7250)

1

Main components here: * Definition of the `client_certificate_type` and `server_certificate_type` extensions * Related negotiation logic * Generalization of certificate logic in the handshake to support both raw keys and certificates

A new, simpler frame reader that is capable of handling variable-length headers. This should make it possible to implement DTLS compressed headers, and might also provide a way to implement...

Right now, mint sends an individual record for every handshake message, which incurs at least 17 bytes of overhead per handshake message (16-byte tag + content type). With this PR,...