Problem: MLS member leaving/joining interaction with council nodes not documented #141
Description
From the audit discussion
Who among the validators invites a newcomer when a new validator node joins?
Assuming TDBE is (in normal circumstances) provided with network updates (relevant transactions, events...), it'll go like this:
block N (time N_t), there's a valid NodeJoinTx with a metadata payload, including a ClientInitKey
TDBE corresponding to node with index 0 in the ratchet tree generates "Welcome" and "Send" payloads wrapped in a single MLS-related transaction that's then broadcasted/gossiped by Tendermint (let's call it MlsAddTx)
block M (time M_t), MlsAddTx is proposed to be in a block:
if M_t <= N_t + timeout, it's considered valid and propagated to validator TDBEs
if M_t > N_t + timeout, it's considered invalid and the process restarts with Step 2., but TDBE corresponding to a node with index 1
(and this may continue with indices 2,3,... the consensus assumption is <1/3 of nodes are malicious)
One consequence of this is there may be multiple MLS Welcome/Send payloads for one newcomer -- only one of them is applied.
Who among the validators triggers the group and key update when a validator node leaves?
Same logic as above with joining, but there multiple ways to trigger "validator node leaving" (operator decides to leave and broadcasts relevant transaction, its node was observed to be faulty, ...)
I guess for the nodes that are not in the validator set, but requested to join / have enough stake, their TDBE keypackage will still be a part of the MLS group structure and expected to generate those MlsAddTx transactions/react to the network changes.
For nodes not generating these update Txs in time, they may need to be punished