IETF Logo Mail Archive

Re: [MLS] Possible erratum: Re-adding a member

Raphael Robert <ietf@raphaelrobert.com> Fri, 08 September 2023 19:09 UTC

Return-Path: <ietf@raphaelrobert.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C403EC14CE54 for <mls@ietfa.amsl.com>; Fri, 8 Sep 2023 12:09:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=raphaelrobert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uy9__PjK_DHc for <mls@ietfa.amsl.com>; Fri, 8 Sep 2023 12:09:03 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BF7FC15155E for <mls@ietf.org>; Fri, 8 Sep 2023 12:09:02 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-401b0d97850so26541325e9.2 for <mls@ietf.org>; Fri, 08 Sep 2023 12:09:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raphaelrobert.com; s=rr; t=1694200141; x=1694804941; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=5xV+B+CG6XCfZjfJoUFM9i19OnKtTjJOzriI4FfKcq4=; b=G1182Bh81EV6pDX4Ii3+QFgBA3tmGQBQSszKhUT9wBax8w8jTJyszzjUHqwKWL504q 6UO76/jWnTFSjfxfh1A6pfYwJt7fNRI4J7kOHLz3sSd6HXM3VkL1plpCad9FvWqU6bby 4MxML8q30u5QFUMh9gZOdjS5ABFGTmUlN1yrE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694200141; x=1694804941; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5xV+B+CG6XCfZjfJoUFM9i19OnKtTjJOzriI4FfKcq4=; b=pyAmRCS+DEyGBcrlaS3x4SnhqoaeY4i6Qcka9+lCDhHDGLeivI79osg5EpPG1k0eaT hVEC2doSB+3Qp10W+uHQeKZlDBwNE+4aISe9/6twSCpGDNBAaDcWzbA/qMaQcmyoIYq1 4iMLCqRbIFRMuVvXc1djQoJUc8tCbDfHEuI5OtRe2wIlZD6O/XyKO2io0gUF+OeSn4Sk y3cEnjmIXAyJQmABxJUSXHPJoSp/YVDIf4lC5UNO7oAMT2u01uX4kwdb4YdPiIYJR5NV WguRaMK05dxkwFawIN4zJLCHJANA/+zS311grXHqtRi+GuvETR67d/OOUG+mrDGU3hZU UNcQ==
X-Gm-Message-State: AOJu0YwkPyNjhhXl6EeaZz3fmeK0W/3fR/HPbTeOMLXmG/oTFmGVVgSd E6rDAtylYyjP8hRA7IHOPhdjp4zECGvFE9KpsXAaoDMm
X-Google-Smtp-Source: AGHT+IFHtmGqa2arhmEd6IaCcEU9O0WYRvFMts1La5cmrl18d7FyTGvfYTtHU4StUyU1+MO94n+LDQ==
X-Received: by 2002:a05:600c:2116:b0:3fb:b008:2003 with SMTP id u22-20020a05600c211600b003fbb0082003mr2946836wml.38.1694200140466; Fri, 08 Sep 2023 12:09:00 -0700 (PDT)
Received: from smtpclient.apple (ip-095-208-235-051.um33.pools.vodafone-ip.de. [95.208.235.51]) by smtp.gmail.com with ESMTPSA id 12-20020a05600c028c00b003fee6e170f9sm2666329wmk.45.2023.09.08.12.08.59 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Sep 2023 12:08:59 -0700 (PDT)
From: Raphael Robert <ietf@raphaelrobert.com>
Message-Id: <4B198099-1AA7-4F97-9B48-51856C457892@raphaelrobert.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B645CAA5-60C2-4742-BB62-5B5F7B7468FD"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Fri, 08 Sep 2023 21:08:48 +0200
In-Reply-To: <CAL02cgShkCB4MAAhCWFtc=kdC-wL-sNQu+hPDpbAVKT+keYwvw@mail.gmail.com>
Cc: Rohan Mahy <rohan.mahy@wire.com>, Messaging Layer Security WG <mls@ietf.org>
To: Richard Barnes <rlb@ipv.sx>
References: <CAL02cgQ7pzxOFZMvmkBKOcCmaKzRqbxxzfZgZoRpP9oks92S9A@mail.gmail.com> <CACW8--Ow-GfKjLheh+K535MFfu6jpx0qsTPxOaTMR-NDecS=kA@mail.gmail.com> <CAL02cgShkCB4MAAhCWFtc=kdC-wL-sNQu+hPDpbAVKT+keYwvw@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/0iqfFozewU7w4TKSnxd0Jmed0bw>
Subject: Re: [MLS] Possible erratum: Re-adding a member
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2023 19:09:07 -0000

I would also interpret 7.3 in the same way as Richard and Marta. The intermediary group membership state while applying proposals should not be relevant, since applying proposals is fundamentally an atomic operation from the perspective of clients/applications. 
I don’t really see the need for an erratum to clarify that such a Commit is indeed valid. If however the consensus turns out to be that the Commit is invalid, we would need an erratum.

Raphael

> On 8. Sep 2023, at 19:05, Richard Barnes <rlb@ipv.sx> wrote:
> 
> This isn't about removing your own node, it's about replacing someone else.  For example:
> 
> - Alice is in a group with Bob (and possibly others)
> - Alice's device loses its state, except for signature key + credential
> - Alice sends Bob a request to re-join with a KeyPackage, that has the same signature key + credential, but is otherwise fresh
> - Bob recognizes that these are both Alice, issues a Commit that removes old-Alice and adds new-Alice
> 
> 
> On Fri, Sep 8, 2023 at 12:28 PM Rohan Mahy <rohan.mahy@wire.com <mailto:rohan.mahy@wire.com>> wrote:
>> Hi Richard,
>> I see a use case for this in the External Commit case. This brings up that maybe we need a clarification that a member can send an External Commit to replace itself (because it has lost its state).
>> 
>> In the case of a regular commit, what is the use case? Surely an UpdatePath would accomplish every possible use case of an in-group Add and Remove. By my read, any Commit containing a Remove of your own leaf node is currently prohibited.  
>> 
>> Thanks,
>> -rohan
>> 
>> Rohan Mahy  l  Vice President Engineering, Architecture
>> 
>> Chat: @rohan_wire on Wire
>> 
>>  
>> 
>> Wire <https://wire.com/en/download/> - Secure team messaging.
>> 
>> Zeta Project Germany GmbH  l  Rosenthaler Straße 40,  <https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g>10178 Berlin,  <https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g>Germany <https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g>
>> 
>> Geschäftsführer/Managing Director: Christian Salza
>> 
>> 
>> HRB 149847 beim Handelsregister Charlottenburg, Berlin
>> 
>> VAT-ID DE288748675
>> 
>> 
>> 
>> On Fri, Sep 8, 2023 at 8:23 AM Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx>> wrote:
>>> Hi all,
>>> 
>>> I came across a situation where I think the spec might be ambiguous, if not incorrect.  Consider a situation where a member is removed and re-added in the same Commit, using the same signature key for both the old and the new member, but fresh keys otherwise.  Is this a legal commit?
>>> 
>>> (Note that in addition to normal commits of this form, the "resync" external commits that the spec mentions also have this form.)
>>> 
>>> On the one hand: The spec says that a proposal list is invalid if...
>>> - [12.2] It contains an individual proposal that is invalid as specified in Section 12.1 <https://www.rfc-editor.org/rfc/rfc9420.html#proposals>.
>>> - [12.1.1] An Add proposal is invalid if the KeyPackage is invalid according to Section 10.1 <https://www.rfc-editor.org/rfc/rfc9420.html#keypackage-validation>
>>> - [10.1] Verify that the leaf_node of the KeyPackage is valid for a KeyPackage according to Section 7.3 <https://www.rfc-editor.org/rfc/rfc9420.html#leaf-node-validation>.
>>> - [7.3] Verify that the following fields are unique among the members of the group: signature_key 
>>> 
>>> On the other hand: The spec also says (emphasis mine):
>>> - [12.2] It contains an Add proposal with a KeyPackage that represents a client already in the group according to the application, unless there is a Remove proposal in the list removing the matching client from the group.
>>> 
>>> So if you read "members of the group" in the former text as "members of the group before any of the proposals are applied", then my proposed Commit is illegal.  If you read it as "members of the group after any Remove proposals are applied" (as in the latter text), then the proposed Commit is fine.
>>> 
>>> Personally, I think the right answer here is for such a Commit to be valid.  Basically because I don't think a "resync" operation (either externally-driven or within the group) should force a signature key rotation, because signature key rotation is expensive when signature keys are tied to things like transparency or certificates.
>>> 
>>> If we can get agreement on the outcome here, it seems like we should probably file an erratum clarifying the situation.
>>> 
>>> Thanks,
>>> --Richard
>>> _______________________________________________
>>> MLS mailing list
>>> MLS@ietf.org <mailto:MLS@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/mls
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls

v2.23.0 | Report a Bug | By Email