The protocol should explicitly acknowledge that revoking access to already-delivered and decrypted data is impossible, and not attempt to create an illusion of control.
Proposal: formalize as ADR candidate:
Removing a participant from MLS group = rekey, new messages inaccessible to them. Old messages remain their property.
"Delete message" = append-only CONTENT_DELETE record in DAG. Clients may hide in UI. Data at recipients persists.
No DRM mechanisms, no screenshot prevention, no disappearing messages as a security guarantee. Disappearing = optional UX hint (client may hide by TTL), not a cryptographic promise.
No "delete for everyone" with actual enforcement.
Rationale: data on my device is mine. Pretending otherwise violates individual sovereignty and is technically dishonest. Consistent with ADR-006 (explicit over implicit) and the "leak, don't hide" design maxim.
The protocol should explicitly acknowledge that revoking access to already-delivered and decrypted data is impossible, and not attempt to create an illusion of control.
Proposal: formalize as ADR candidate:
Removing a participant from MLS group = rekey, new messages inaccessible to them. Old messages remain their property.
"Delete message" = append-only CONTENT_DELETE record in DAG. Clients may hide in UI. Data at recipients persists.
No DRM mechanisms, no screenshot prevention, no disappearing messages as a security guarantee. Disappearing = optional UX hint (client may hide by TTL), not a cryptographic promise.
No "delete for everyone" with actual enforcement.
Rationale: data on my device is mine. Pretending otherwise violates individual sovereignty and is technically dishonest. Consistent with ADR-006 (explicit over implicit) and the "leak, don't hide" design maxim.