Re: [MLS] Recommendation for encrypted group operations
Richard Barnes <rlb@ipv.sx> Tue, 30 January 2024 21:19 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 261DAC15107A for <mls@ietfa.amsl.com>; Tue, 30 Jan 2024 13:19:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xgvu_h62sXC0 for <mls@ietfa.amsl.com>; Tue, 30 Jan 2024 13:19:46 -0800 (PST)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E07AC14CE27 for <mls@ietf.org>; Tue, 30 Jan 2024 13:19:46 -0800 (PST)
Received: by mail-io1-xd2f.google.com with SMTP id ca18e2360f4ac-7c01af010bcso8405139f.0 for <mls@ietf.org>; Tue, 30 Jan 2024 13:19:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1706649585; x=1707254385; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5S96AWzFqW2/NhGikcue6OaVHDV3Q5mC+ifHJMBee9Y=; b=00GCcQgpbEKo5hAirMT67+NGeuCu/+gvcFgD8DnCIEijnJYLWL+2t20bo/3hKH+PzN /RZIOivHTEOyoimZlryB4X+t/zdLsczb8yyhdGXxIkhBCmrJ1l1zytLpc3PNd/AtYNEr esCttIDDafBJ3/nrdv0C1vSvvDBbIEo7OvNO7bcRfkvK9HQchzzDfjCcs8gvHnd5HdPt FimiJP5e+t1pXJeKdArN0TV+nK6v246ynslvlzmYGss2Ly4Rz3vZZf+soYtFdBndPV+4 B7Y2Bcr6qvm+QL45lPNS/fR+bXNZ1BAKGcktW0aRZ64PkCO2mv+H0sp6Et7akVXP2Os0 yPuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706649585; x=1707254385; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5S96AWzFqW2/NhGikcue6OaVHDV3Q5mC+ifHJMBee9Y=; b=SkWLNT/kAOv3t5s7wIDtk4YrLK/X/KtrEdaLNKPCDkFZmObV8dsXtAL/XKhwyoIX+c DuhTcoAinTC7rHh+4+UIQ72SzcNWZSVM3e48jZx5gl+SHZUTnIamQDbENLAuSNFc+as+ HH+jdHnS74WYmVs7l/vrWK95WpArmGNw9WVLJTJQixA3yR3zMK1208MIw013s4RcjKVd I9tuOBFkFZXGA5cr6GN/aGl+OR6ToyUUvd9xJNJdRZvK0VXVumPz2e9lhslGfhJAYjl+ v7zwMWWw8CUXzHfIrNh40wnDrgw63zvx9UUDe6G6ohbeRVxC4/UnWY+yblpqyoDBsIwr EbDQ==
X-Gm-Message-State: AOJu0YyKIIr1up4YIl46g/B8MwpcSoDX6KzPmBa1CsLXkMJDgUNnUkyy ++gt/lmsL9W6xUx5kVcNZGPRoMNoRln2dqzL4BJDpEcijWfo5k7V2tyFXm1OCi71GQhMDlBYspW bejrbJVOU6egadrq+ZidzN4i/F/p5Rhmrq4wXWUEu8GKm1LFG
X-Google-Smtp-Source: AGHT+IEhI0DHKFDu6S5HIoCnKnYH3pTllyWDaCUmSh7KtrLqzSCuHgmeZfBSExwY5yNdIxo3zrQv/8j6IbU7DYdTuj0=
X-Received: by 2002:a92:a30d:0:b0:361:8ced:91be with SMTP id a13-20020a92a30d000000b003618ced91bemr8423837ili.12.1706649585158; Tue, 30 Jan 2024 13:19:45 -0800 (PST)
MIME-Version: 1.0
References: <CAJTd26+hJjKaZZenN3bQuVaifJotVhbpQoYEBLBaN7KiOw2_Qg@mail.gmail.com> <CABcZeBNT=EBMrmOJ1pBpaThs6BcVuajXYt+ziXzEMZU0LKjfjg@mail.gmail.com> <CAL02cgQkOxg6f1U-GwAWTOBDv96yvV1bEFZ=F7ES+Qhs7vDJLA@mail.gmail.com> <CAJTd26L-ROx_T5RaDU9cZscTzOZGM9zGmgwN=_iAtGWw2jgJUA@mail.gmail.com> <CAL02cgR03wgwLFARPPwx1ROCsvPUk0xR83FSudjv0b7aR21yzg@mail.gmail.com> <CAJTd26L_AVPwnm+5-H2nA_x4j2tLZZOKHykBNmvk0PO9oUL4Ww@mail.gmail.com> <CABcZeBPOGtFu=UXyqV-ftiMYx1rXJYbxRNE+Hfggsws8bZ2zwA@mail.gmail.com> <CAJTd26JXHjqVbHs91g+oUbuBrX88geOjbGqz1EW-7TUOLgAQWg@mail.gmail.com>
In-Reply-To: <CAJTd26JXHjqVbHs91g+oUbuBrX88geOjbGqz1EW-7TUOLgAQWg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 30 Jan 2024 11:19:39 -1000
Message-ID: <CAL02cgS-Y3mVxhqiepSLj5SoLNiDaFPZs2EgsoZ7NW1xivu53g@mail.gmail.com>
To: Brendan McMillion <brendanmcmillion@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, MLS List <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000047a79f061030521b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/2KyIamhyX_B1kK2jVnq2DX0fDdA>
Subject: Re: [MLS] Recommendation for encrypted group operations
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 21:19:50 -0000
#1 is an "only" issue in those cases, but real apps care about those situations. Uploading the ratchet tree was a primary constraint on Webex's scaling of MLS to support real meeting sizes. #2 is certainly an issue in enterprise settings, but more generally, it applies in any case where it's not acceptable to wait to enforce policy decisions until a member empowered to enforce those decisions comes online. If you have a messaging space where a room moderator has set a policy that "nobody with a Gmail address can join", do you rely on everyone in the room to generously not add a forbidden user? Do you rely on reactive removals? Or do you have the server help by quashing forbidden joins. You basically can't have a public room *and* usable abuse mitigation without server assistance. So yes, these are real concerns. --Richard On Tue, Jan 30, 2024 at 11:10 AM Brendan McMillion < brendanmcmillion@gmail.com> wrote: > #1 is only an issue if you are supporting very very large groups, or maybe > if you have very inefficient credentials. #2 does not immediately resonate > with me, as it sounds more like a concern that you would have in corporate > environments? > > I personally have not followed the mimi wg very closely and I can not say > why they made this decision. > > On Tue, Jan 30, 2024 at 12:58 PM Eric Rescorla <ekr@rtfm.com> wrote: > >> >> >> On Tue, Jan 30, 2024 at 12:41 PM Brendan McMillion < >> brendanmcmillion@gmail.com> wrote: >> >>> I appreciate the point about the current text seeming like an RFC 6919 >>> "should (but won't)" which is why my proposed resolution was to state the >>> specific common reason why the recommendation wouldn't be followed. You're >>> claiming without evidence that the recommendation should be removed because >>> encrypted group operations have a "real cost" that is "clearly >>> prohibitive". This sort of thinking becoming common is what I think we >>> should try to avoid, and why the recommendation should stay. I'm working on >>> such an MLS deployment <https://xmtp.org/roadmap>. The cost is minimal >>> and it actually simplifies things quite a bit to assume nothing of the DS. >>> >> >> Richard in fact did state evidence in his original message, specifically >> that: >> >> 1. "Without this optimization, commits impose linear cost in units of >> data sent by the committer to new joiners, and with large constants because >> of credentials." >> 2. "there are legitimate reasons to have a server act as a policy >> enforcement point as a secondary check on clients (e.g., in cases where >> clients might be adversarial to the interests of the policy controller)." >> >> Those certainly seem like "real costs". Do you think either of those >> statements is untrue? >> >> Perhaps your argument is with "clearly prohibitive", but the relevant >> evidence for that is that when the relevant IETF WG (MIMI) considered this >> matter, they concluded that it was impractical to have encrypted group >> operations. Of course, MIMI could be wrong about that, but then what you >> should be doing is trying to convince them, and perhaps providing text >> about why that analysis is incorrect, to go into this document. Absent >> that, having a naked recommendation doesn't do anything meaningful to >> impact people's behavior and, as I said, mostly makes the IETF look like it >> doesn't have a consistent view. >> >> -Ekr >> >> >> >> >>> On Tue, Jan 30, 2024 at 10:51 AM Richard Barnes <rlb@ipv.sx> wrote: >>> >>>> This brings us back to EKR's point about RFC 6919. MLS supports those >>>> things, but at real cost. So yes, some applications might choose to take >>>> on that cost, but to date, nobody has. This document should be providing >>>> guidance to implementors about how to make good engineering decisions, not >>>> exhorting them to do the most confidentiality-preserving thing at all costs. >>>> >>>> BTW MIMI is making this decision intentionally -- it has already been >>>> discussed pretty extensively, and the costs are clearly prohibitive. The >>>> considerations are documented in mailing list posts and minutes, and I'm >>>> sure they will make it into the documents. And nothing we write in this >>>> document can compel that WG to do anything anyway, it's an informative >>>> document. >>>> >>>> --RLB >>>> >>>> On Tue, Jan 30, 2024 at 8:19 AM Brendan McMillion < >>>> brendanmcmillion@gmail.com> wrote: >>>> >>>>> You can workshop the exact text of my email, but the same point still >>>>> stands. We could instead say we're discussing applications that "accept >>>>> leaking group membership to a central server" and "need to use that central >>>>> server to provide certain features". All 3 of these criteria /must/ be met >>>>> to justify using unencrypted group operations. However, MLS was >>>>> painstakingly designed to make meeting any of these 3 criteria /optional/: >>>>> - MLS was designed to be secure without transport encryption >>>>> - MLS was designed to be able to support Sealed Sender-type operation >>>>> - MLS was designed to work on relatively simple Delivery Services that >>>>> are agnostic to the protocol >>>>> >>>>> Keeping the recommendation to use encrypted group operations is not >>>>> passing judgement on applications that use unencrypted group operations. If >>>>> mimi (or any other application) is unable to encrypt group operations >>>>> despite this being a first-class feature of mls, I would just like them to >>>>> make that decision intentionally and document it. >>>>> >>>>> On Tue, Jan 30, 2024 at 9:48 AM Richard Barnes <rlb@ipv.sx> wrote: >>>>> >>>>>> My take here is broadly in line with EKR here. I have a couple of >>>>>> problems with Brendan's analysis here: >>>>>> >>>>>> First: #3 on Brendan's list says "want to" like it's a personal >>>>>> desire, but it's actually an important objective engineering consideration: >>>>>> Operating MLS is dramatically more efficient in large groups if a server >>>>>> caches the tree, to the point where groups of any size are basically >>>>>> unworkable without this optimization. (Without this optimization, commits >>>>>> impose linear cost in units of data sent by the committer to new joiners, >>>>>> and with large constants because of credentials.) >>>>>> >>>>>> Second: #2 "don't care about leaking" similarly discounts a >>>>>> legitimate engineering trade-off. It's not that the apps exposing >>>>>> membership to the server are just being lackadaisical; there are legitimate >>>>>> reasons to have a server act as a policy enforcement point as a secondary >>>>>> check on clients (e.g., in cases where clients might be adversarial to the >>>>>> interests of the policy controller). >>>>>> >>>>>> Calling a set of apps that collectively cover billions of users "quite >>>>>> a specific subset" is certainly a take, but not one I can agree with. >>>>>> >>>>>> If I were writing this myself, the outline would be: >>>>>> * In principle, encrypting MLS handshake messages provides the >>>>>> highest level of confidentiality >>>>>> * In practice, this imposes heavy performance costs >>>>>> * Here are some guidelines that apps can use to decide where they >>>>>> want to land on this trade-off >>>>>> >>>>>> EKR's PR is quite close to this, so I would propose we workshop that >>>>>> text a little and then adopt it. >>>>>> >>>>>> --Richard >>>>>> >>>>>> >>>>>> On Tue, Jan 30, 2024 at 7:11 AM Eric Rescorla <ekr@rtfm.com> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Jan 30, 2024 at 8:57 AM Brendan McMillion < >>>>>>> brendanmcmillion@gmail.com> wrote: >>>>>>> >>>>>>>> Hi mls@ >>>>>>>> >>>>>>>> One of the first topics of discussion at our last interim was on >>>>>>>> whether or not to keep the recommendation in the architecture draft to use >>>>>>>> encrypted group operations whenever possible. This is issue #210 on the >>>>>>>> repo [1]. >>>>>>>> >>>>>>>> The desire to remove this recommendation comes from the fact that >>>>>>>> many mls deployments and the mimi wg do not follow it. It doesn't seem that >>>>>>>> the minutes have been uploaded yet, but my memory of the conversation at >>>>>>>> the interim is that: >>>>>>>> - We generally agree that encrypted group operations would, in an >>>>>>>> ideal world, be preferred. I recall several people saying it's the "moral >>>>>>>> thing to do." >>>>>>>> - Acknowledging that most deployed applications don't encrypt group >>>>>>>> operations. We listed the deployments we knew of to prove this. >>>>>>>> >>>>>>>> The after-the-fact answer I came up with for why most applications >>>>>>>> don't encrypt group operations is that they can 1.) guarantee strong >>>>>>>> transport-layer security, 2.) don't care about leaking group membership to >>>>>>>> a central server, and 3.) want to use that central server to provide >>>>>>>> certain features. Despite being well-represented in the mls wg, >>>>>>>> applications that meet criteria 1, 2 and 3 is actually quite a specific >>>>>>>> subset within the space of what MLS was designed to support. Any >>>>>>>> decentralized application would not meet these criteria (no transport-layer >>>>>>>> encryption). Signal doesn't either (doesn't leak membership). >>>>>>>> >>>>>>>> Given this, my proposal is to keep the recommendation but state >>>>>>>> that applications may use unencrypted operations if they have an explicit >>>>>>>> reason. I've opened a PR to that effect here: >>>>>>>> https://github.com/mlswg/mls-architecture/pull/247 >>>>>>>> >>>>>>>> This is in contrast with a PR from Eric that removes the >>>>>>>> recommendation and describes the tradeoffs between encrypted and >>>>>>>> unencrypted group operations on relatively equal footing: >>>>>>>> https://github.com/mlswg/mls-architecture/pull/246 >>>>>>>> >>>>>>>> Please say on the list if you have a preference between the PRs. >>>>>>>> Thank you! >>>>>>>> >>>>>>> >>>>>>> Just to clarify the process here: this is the start of a discussion, >>>>>>> not a consensus call, though I suppose the chairs might do a consensus call >>>>>>> later if that's necessary. >>>>>>> >>>>>>> With that said, while I agree that it would be better if people >>>>>>> encrypted the group messages, the objective of IETF documents is not to >>>>>>> talk about the ideal world but to actually document protocol specifications >>>>>>> for people to implement. >>>>>>> >>>>>>> Here in the IETF, we are specifying precisely one such protocol that >>>>>>> uses MLS, which is to say MIMI, and as Brendan notes, that protocol uses >>>>>>> unencrypted group operations. Text like what appears in PR #246 that >>>>>>> suggests that people ought not to do what we in IETF are in fact doing >>>>>>> serves mostly to confuse people and make us look uncoordinated [0]. >>>>>>> >>>>>>> -Ekr >>>>>>> >>>>>>> [0] See also RFC 6919 "MUST (BUT WE KNOW YOU WON'T)" and "OUGHT TO". >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> 1. https://github.com/mlswg/mls-architecture/issues/210 >>>>>>>> _______________________________________________ >>>>>>>> MLS mailing list >>>>>>>> MLS@ietf.org >>>>>>>> https://www.ietf.org/mailman/listinfo/mls >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> MLS mailing list >>>>>>> MLS@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/mls >>>>>>> >>>>>>
- [MLS] Recommendation for encrypted group operatio… Brendan McMillion
- Re: [MLS] Recommendation for encrypted group oper… Eric Rescorla
- Re: [MLS] Recommendation for encrypted group oper… Richard Barnes
- Re: [MLS] Recommendation for encrypted group oper… Brendan McMillion
- Re: [MLS] Recommendation for encrypted group oper… Richard Barnes
- Re: [MLS] Recommendation for encrypted group oper… Brendan McMillion
- Re: [MLS] Recommendation for encrypted group oper… Eric Rescorla
- Re: [MLS] Recommendation for encrypted group oper… Brendan McMillion
- Re: [MLS] Recommendation for encrypted group oper… Watson Ladd
- Re: [MLS] Recommendation for encrypted group oper… Richard Barnes
- Re: [MLS] Recommendation for encrypted group oper… Richard Barnes
- Re: [MLS] Recommendation for encrypted group oper… Brendan McMillion
- Re: [MLS] Recommendation for encrypted group oper… Eric Rescorla
- Re: [MLS] Recommendation for encrypted group oper… Paul Wouters