IETF Logo Mail Archive

Re: [Keytrans] Draft Charter

Roman Danyliw <rdd@cert.org> Thu, 18 May 2023 22:45 UTC

Return-Path: <rdd@cert.org>
X-Original-To: keytrans@ietfa.amsl.com
Delivered-To: keytrans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 505C1C151075 for <keytrans@ietfa.amsl.com>; Thu, 18 May 2023 15:45:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YEX2gW1I7Wa7 for <keytrans@ietfa.amsl.com>; Thu, 18 May 2023 15:45:01 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0718.outbound.protection.office365.us [IPv6:2001:489a:2202:c::718]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B95F5C14CE24 for <keytrans@ietf.org>; Thu, 18 May 2023 15:45:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=lTsgA+VzNK20zLojCG2dNS2sA/bpk0i+c385yWTHhLmr07ePHo8t8tjyqJwXQwB6KpiCxzSNSfcgiLufiLtzc7ulNRABEJrFHZB8pIXkZRJBPGQvjRpZUc8KVQETAzJnVbTKca/uvBud9ZqXWNZpdnsw/gIYmjM8Kpzju4jkZY07qaXChCjyVKxFMrENVdYwd58kNaqC8iXNJc1ivZvgcLzzMXl+d7n/lDYLQdxkDSXnds8gOEp8PSdmaJeebfmLBgxk3Fe+RIIkcwX1z38YXlfCGide996virZPTjFj36HHzFU86XeKwW+5mj4ROFKRqYtljZiJJCmMIj45/dIk7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3Of0upMg579P1CVAQnntPJ4RG+F3kBO87lNuiRCPA7A=; b=E39DDaCsC/n83XunxW9hQA2RPSpEh5a+4wu66k58tRBXTkuJfaaMTY5H7jwskvgGmuoGupq74YrvfC1TaA5WunPziIug9EzzRiIwkQQRVTY3QDZPsBWW/cV8k/iYXWjw4eNh4mHeATiSRLVSSmC6KDNedUYpO0qvpM4QRi9MgCz9gt4lm9m/zCDvzYXl8VaS+/zj4NNw5VUGle+FITFOztYPmwS6Ia4KeAsv6SikONmme6V5wrWzXUk1U0fScj7ZQ8vVpS4QTQWNleukbogzxf2RezRK2lRCLEgenFcJZUWnzT7yA2w5J+azVZmfryN/pZZJu9hRZKRjFs5QUtuRFQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3Of0upMg579P1CVAQnntPJ4RG+F3kBO87lNuiRCPA7A=; b=Wpt7Lm0Q3A0J7H61hwJRPb2Acz53pC3WqCL1BSSeg/5EY/7VOpblSL6tq5qSf4L9v42rsGbSmM7m0+o7rvMP/HzPmoPvx9bsDq75qvELCP6YabC7xtTzzZsZ8iodiz1zkRVFSz1yie0pbwIxGHQfzObBmEs3VhQAm53qmpsljIU=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1139.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.32; Thu, 18 May 2023 22:44:56 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::29b2:8307:6a90:c79f]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::29b2:8307:6a90:c79f%7]) with mapi id 15.20.6387.034; Thu, 18 May 2023 22:44:56 +0000
From: Roman Danyliw <rdd@cert.org>
To: Brendan McMillion <brendanmcmillion@gmail.com>, "keytrans@ietf.org" <keytrans@ietf.org>
Thread-Topic: [Keytrans] Draft Charter
Thread-Index: AQHZZ/mrYzk81TI8ykKLY9zRqrw5BK9dlS0w
Date: Thu, 18 May 2023 22:44:56 +0000
Message-ID: <586975b6ed364c1fb51a504c552e1b05@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <CAJTd26K9hdZdABJLoA7C4nn9FaAajDMu9BDV_6W3V3aZ0rf_nA@mail.gmail.com>
In-Reply-To: <CAJTd26K9hdZdABJLoA7C4nn9FaAajDMu9BDV_6W3V3aZ0rf_nA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1139:EE_
x-ms-office365-filtering-correlation-id: 70f48a9d-2fe8-4195-7bfc-08db57f180e8
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qUuV9eeaqSdx/ahelW85Dq7ZwMIETKEzsCWWOMiRbWIkthd/0iC24dhPTDZV+DojRfiCvdPmylSkyD2FKMceYivX0lGicOMDlnu19MRMR2pxGuCFbaIzvbo3g/lSBwsCsYptlq5HXX2cWb2p2P6omsynsdYbhdA3uW8CWZu+Fxy9OlHA1IEljLtnOGwxlGcCOSM0nYP4+bFgSu6bkmCR9BUddZa9J4Ch03FTGXNS/DSDLYW6mVZhtTYtaN8Ei41Hy67du9DPGzIlj3+tSs/oGLxRG1oJrdYHUgJX7VfUsDgHFepS74as1SnX4IXoqRPvAs2IjhHJBeVokQgIbqs97e6Uhs3LuqvUrlA6fWy/RnjzVQsy7djvQ+410kPRSRT4QKjfNt250a3NDvzhO+I0ql2BsyBZR/ByQk592gjtZZMrhttpR6+h8DYeJr3zo+pR+SgP6wmdmnyffTJJSxSR7HFzrvpVbjcuMXobySOkCvtPefYhnMz38gkgPOo3EcddX5L82nTUdTkoOgdXV13qrtsxLCAiVZG7u7ptwdsawzKNhMRLBWTxZLEXko57ohZobIOlSyzmLpIixmYWbye88VHUAn9UxpALDoQZbvYRGyAd84zSYnq2JiZ/uHByP5vR
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(39830400003)(136003)(366004)(396003)(451199021)(26005)(122000001)(9686003)(8676002)(108616005)(38070700005)(82960400001)(41300700001)(30864003)(83380400001)(186003)(2906002)(41320700001)(5660300002)(166002)(55016003)(71200400001)(6506007)(966005)(7696005)(110136005)(24736004)(66476007)(66446008)(8936002)(38100700002)(66556008)(66946007)(64756008)(76116006)(86362001)(508600001)(5930299015)(53546011)(66899021)(15940465004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6pZmsY+znJBhP5AOymA7jMfB9a3PghcN0yGzF0XTLumtuNKbB6t4Q9Pdmm91W9jLelFKcOvSz5wC2wGvIz5De7HFwWGLGBBn/qKanDb7d8Uuho4ODgnTz3q22jBhRqO5//D2GulVybgsBwOW78XuOhiuRo03J4K8qN1Xnj0ge3gh0pamJyiXAWOSHFQV/n/KguqXHl91Kp0MFXqY8VXRaKyoGGxfdVRSPo4jlCvZ/b+m34hzZykGvMNEBf8hOjuvM9vlKi14Ja7AhIP/77/aYv/9rqZ8D43zhhWLfb/6yPNvox+S05tIYUd609HXQLgWnWiMFEQo0s9u5OezZs+pWro9qDmBbXPV1I/WA0bC0tvqZRqlOtO6eQ+Axd1pMa1boVVacK3o1cxVC1UsR7+eR8Oeojhxmsdjpsa5D5CIlVg=
Content-Type: multipart/alternative; boundary="_000_586975b6ed364c1fb51a504c552e1b05BN2P110MB1107NAMP110PRO_"
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 70f48a9d-2fe8-4195-7bfc-08db57f180e8
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2023 22:44:56.3941 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1139
Archived-At: <https://mailarchive.ietf.org/arch/msg/keytrans/GfDMvADn5ZgdR7ZfTZt2y296Nuo>
Subject: Re: [Keytrans] Draft Charter
X-BeenThere: keytrans@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Key Transparency <keytrans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/keytrans>, <mailto:keytrans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/keytrans/>
List-Post: <mailto:keytrans@ietf.org>
List-Help: <mailto:keytrans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keytrans>, <mailto:keytrans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2023 22:45:06 -0000

Hi!

Brendan: thank you for taking the next formal step after the BoF in Yokohama to draft a charter based on the feedback from that meeting and from the ensuing mailing list conversation.  It is exactly what was needed.

Also, thanks to those that have already given it a review on the list.

Below is mix of feedback I have based on my review; repeating items raised at the BoF or residual to the discussion already on the list; and calling out a few items I know have snagged prior charter approvals in the IESG.

==[ snip ]==

> Public keys in end-to-end encrypted systems are often authenticated solely by

> the assertion of the communications service provider. As a result, the

> underlying encryption protocols are left vulnerable to eavesdropping and

> impersonation by active attackers, in particular the service provider itself,

> which can distribute malicious public keys to selectively gain access to

> communication. Similarly, a malicious service provider could take advantage of

> its privileged network position to launch a number of other attacks, such as:



Given the lack of consensus on the definition of an “end-to-end encrypted system”, I could see this framing snagging the charter review process.  Since this introductory paragraph be restated in the context of a “communications service provider”?  Perhaps:



NEW

Public keys used to provide end-to-end encrypted communication services are often authenticated solely by the assertions of the underlying service provider.  As a result, the underlying encryption protocol used by this service are left vulnerable …



Later in the text the proposed scoping is “an end-to-end encrypted system for human-to-human(s) communication”.  Should that language be used here?



> - Silently partitioning a group, thereby selectively excluding some members of a

> group communication from the rest.

> - Falsifying information about the state of a group, allowing it to eavesdrop on

> messages sent by new joiners.



Is the protocol developed by KEYTRANS WG expected to mitigate these threats?



> To prevent these attacks, end-to-end encrypted service providers are



Nit. Is it “end-to-end encrypted service provider” or “end-to-end encrypted communication service provider”?



> increasingly looking for a way to authenticate information about artifacts in

> their system. These artifacts include end-user accounts or specific group chats,

> where the service provider may wish to authenticate a user’s long-term identity

> key or the state/membership of a group. This authentication scheme must be:



I appreciate that this text was edited based on list feedback.  I’m stuck on the vagueness of the abstraction of “artifacts”.  Walking out of the BoF, I was under the impression this work was largely about some identifier + public key + (maybe) additional meta data.  Are we now potentially talking about a protocol to trade arbitrary data (no public key information) – the notional working title of the WG is “_key_ transparency”?  I can see how using “artifact” would cover all cases, but it also leaves an overly broad scope.  Could the definition be constrained even more in some way?



> User-friendly: Little (ideally zero) user action, or even awareness of the system,

> is required to achieve the authenticity guarantees.



-- Out of the IETF 116 BoF, it seemed like there was support for the “contact monitoring” deployment model per slide 6 of https://datatracker.ietf.org/meeting/116/materials/slides-116-keytrans-example-approach-from-brendan-mcmillion-01.  This “user-friendly” property doesn’t suggest to me that there will be an API of sorts for the user to perform first party checking of their public key.



-- If the user awareness is no longer a consideration, can this text be more specific on who is the authenticity check is for?



> Private: The service provider is able to enforce access control policies such that

> the existence of a specific artifact or its associated data is only revealed by the

> service provider’s explicit choice.



Is it possible to decouple the entity providing the key transparency with the communication service provider?  This text makes it seem like it is one thing.  Do we know right now (without trying to engineering things in the charter) that there should be this flexibility?



> Efficient: The computational requirements for both end-users and the service

> provider scales sub-linearly with the number of users in the system.



-- What is an “end-user” in this context?  Is this an application?



-- Is this “service provider” the “communication service provider” mentioned in the first paragraph?



> Sustainable: Data that’s no longer required by end-users may eventually stop

> being stored.



This sustainability seems like a great end-of-end system goal.  Is it in scope for the protocol?



> Several organizations have attempted to develop such a system but have

> struggled to overcome the collective burden of needing to independently

> research which constructions from academic literature best satisfy their needs,

> fully understanding each construction’s security guarantees, and maintaining

> their own implementation in production.



Consider if this text is needed.  It doesn’t seem to specify or scope what the WG will do.



> The primary goal of this working

> group is to develop a standard for authenticating information about artifacts in

> an end-to-end encrypted system for human-to-human(s) communication with

> the above properties.



-- Editorial.  s/The primary goal of this working group/The KEYTRANS working group/



-- I see some symmetry in this charter’s construction with how the MLS’s charter was written (https://datatracker.ietf.org/wg/mls/about/) in that it lists properties of the desired protocol and what is not in scope while providing ample flexibility.  Not sure if that is a coincidence.  The desired properties listed are a good start.  However, this text would benefit from clearer statements/requirement on who are the parties and what each would get from this proposed protocol (just like the MLS charter did).



> This allows shared validation, and allows applications to

> share code.



Could this text be clearer on what is means to “share validation”?

> It is not a goal of this working group to develop mechanisms for authenticating

> relationships between artifacts in an end-to-end encrypted system and external

> systems, only that certain data belongs to a given artifact. For example, we

> would not specify ways to verify that an account controls a phone number or

> email address, or belongs to a specific legal person.



I am not sure what it means to “authenticate relationships” or “belongs to a given artifact”.  Is it as simple an identifier can have a collection of other properties associated with it?



> It is also not a goal of this working group to enable interoperability between

> end-to-end encrypted services. Full interoperability of an application would

> require alignment at many different layers beyond security. The focus of this

> work is to develop an authentication mechanism that different applications can

> adapt to their own needs.



“[D]evelop an authentication mechanism that different applications adapt” seems too generic.  Up to this point in the text there is a “protocol”, “authentication scheme”, and now and an “authentication mechanism”.  Recommend streamlining or removing this last sentence.  The first two sentence of this paragraph seem clear to me that this work is not about ensuring generable interoperability.



> Further, it is not a goal of this working group to develop an end-to-end

> encryption protocol for user messages. Rather, the authentication mechanism

> developed by this group will be able to be integrated into other end-to-end

> encryption protocols. The working group will publish a document describing an

> integration with MLS, and may adopt additional documents in the future

> describing the integration of KT with other encryption protocols (where the

> exact security guarantees provided will depend on the underlying encryption).



This is the first time “KT” is mentioned in the document (editorial aside, expand on first use).  Should it be used earlier in the text?  At least from the BoF and the analog to certificate transparency, the current framing of the text seems to be removed from the “key” (it is about artifacts) and the “transparency” properties to deliver are not clearly spelled out.



> The intent of this working group is to follow the pattern of TLS 1.3 and MLS,

> with specification, implementation, and verification proceeding in parallel.



Please be clearer on what this patterning of other WGs means if it is intended to be binding.



-- “Specification”, not sure what this means.



-- “Implementation”, does this mean that there needs to be a number of interoperable implementations before this specification would be submitted to IESG for publication?



-- “Verification”, does this mean that independent, peer-review, formal verification of the protocol needs to occur before being submitted to the IESG for publication?



Are there any WGs with whom coordination needs to be done?  MLS? MIMI?

> Goals and Milestones:

>            Oct 23 - Initial working group document adopted for transparent data

> authentication mechanism.



Editorial.  The above text doesn’t mention “transparent data authentication”.  Consider if this notion of transparency needs to be added in the charter text.



>            Jan 24 - Initial working group document adopted describing MLS

> integration.

>            Oct 24 - Submit both documents to IESG as Proposed Standard.



Consider given delivery a bit more time perhaps into mid-2025.



Consider if adding any supporting documents (e.g., architecture or use case document(s)) would be valuable.  As written, they would not be in scope for the WG.


==[ snip ]==

Regards,
Roman

From: Keytrans <keytrans-bounces@ietf.org> On Behalf Of Brendan McMillion
Sent: Wednesday, April 5, 2023 4:00 PM
To: keytrans@ietf.org
Subject: [Keytrans] Draft Charter

Hello keytrans@

After the successful BoF, the next thing we need to do is agree on a charter for a working group. >From RFC 2418, a working group charter "specifies the direction or objectives of the working group and describes the approach that will be taken to achieve its goals." This side steps some of the technical discussions we were getting into a bit in the BoF, and just says "here's the problem we want to solve, here's how we'll go about that."

I wrote a draft charter here: https://docs.google.com/document/d/12NMFA0P1OYtE6_QoqP3J80tDr0z2-FEm2ZdiWeauAHE/edit?usp=sharing

Please respond on the list if this looks good to you, or you can give feedback either on the list or as comments in the document. Thanks!

v2.23.0 | Report a Bug | By Email