IETF Logo Mail Archive

Re: [MLS] Recommendation for encrypted group operations

Richard Barnes <rlb@ipv.sx> Tue, 30 January 2024 21:19 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 261DAC15107A for <mls@ietfa.amsl.com>; Tue, 30 Jan 2024 13:19:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xgvu_h62sXC0 for <mls@ietfa.amsl.com>; Tue, 30 Jan 2024 13:19:46 -0800 (PST)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E07AC14CE27 for <mls@ietf.org>; Tue, 30 Jan 2024 13:19:46 -0800 (PST)
Received: by mail-io1-xd2f.google.com with SMTP id ca18e2360f4ac-7c01af010bcso8405139f.0 for <mls@ietf.org>; Tue, 30 Jan 2024 13:19:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1706649585; x=1707254385; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5S96AWzFqW2/NhGikcue6OaVHDV3Q5mC+ifHJMBee9Y=; b=00GCcQgpbEKo5hAirMT67+NGeuCu/+gvcFgD8DnCIEijnJYLWL+2t20bo/3hKH+PzN /RZIOivHTEOyoimZlryB4X+t/zdLsczb8yyhdGXxIkhBCmrJ1l1zytLpc3PNd/AtYNEr esCttIDDafBJ3/nrdv0C1vSvvDBbIEo7OvNO7bcRfkvK9HQchzzDfjCcs8gvHnd5HdPt FimiJP5e+t1pXJeKdArN0TV+nK6v246ynslvlzmYGss2Ly4Rz3vZZf+soYtFdBndPV+4 B7Y2Bcr6qvm+QL45lPNS/fR+bXNZ1BAKGcktW0aRZ64PkCO2mv+H0sp6Et7akVXP2Os0 yPuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706649585; x=1707254385; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5S96AWzFqW2/NhGikcue6OaVHDV3Q5mC+ifHJMBee9Y=; b=SkWLNT/kAOv3t5s7wIDtk4YrLK/X/KtrEdaLNKPCDkFZmObV8dsXtAL/XKhwyoIX+c DuhTcoAinTC7rHh+4+UIQ72SzcNWZSVM3e48jZx5gl+SHZUTnIamQDbENLAuSNFc+as+ HH+jdHnS74WYmVs7l/vrWK95WpArmGNw9WVLJTJQixA3yR3zMK1208MIw013s4RcjKVd I9tuOBFkFZXGA5cr6GN/aGl+OR6ToyUUvd9xJNJdRZvK0VXVumPz2e9lhslGfhJAYjl+ v7zwMWWw8CUXzHfIrNh40wnDrgw63zvx9UUDe6G6ohbeRVxC4/UnWY+yblpqyoDBsIwr EbDQ==
X-Gm-Message-State: AOJu0YyKIIr1up4YIl46g/B8MwpcSoDX6KzPmBa1CsLXkMJDgUNnUkyy ++gt/lmsL9W6xUx5kVcNZGPRoMNoRln2dqzL4BJDpEcijWfo5k7V2tyFXm1OCi71GQhMDlBYspW bejrbJVOU6egadrq+ZidzN4i/F/p5Rhmrq4wXWUEu8GKm1LFG
X-Google-Smtp-Source: AGHT+IEhI0DHKFDu6S5HIoCnKnYH3pTllyWDaCUmSh7KtrLqzSCuHgmeZfBSExwY5yNdIxo3zrQv/8j6IbU7DYdTuj0=
X-Received: by 2002:a92:a30d:0:b0:361:8ced:91be with SMTP id a13-20020a92a30d000000b003618ced91bemr8423837ili.12.1706649585158; Tue, 30 Jan 2024 13:19:45 -0800 (PST)
MIME-Version: 1.0
References: <CAJTd26+hJjKaZZenN3bQuVaifJotVhbpQoYEBLBaN7KiOw2_Qg@mail.gmail.com> <CABcZeBNT=EBMrmOJ1pBpaThs6BcVuajXYt+ziXzEMZU0LKjfjg@mail.gmail.com> <CAL02cgQkOxg6f1U-GwAWTOBDv96yvV1bEFZ=F7ES+Qhs7vDJLA@mail.gmail.com> <CAJTd26L-ROx_T5RaDU9cZscTzOZGM9zGmgwN=_iAtGWw2jgJUA@mail.gmail.com> <CAL02cgR03wgwLFARPPwx1ROCsvPUk0xR83FSudjv0b7aR21yzg@mail.gmail.com> <CAJTd26L_AVPwnm+5-H2nA_x4j2tLZZOKHykBNmvk0PO9oUL4Ww@mail.gmail.com> <CABcZeBPOGtFu=UXyqV-ftiMYx1rXJYbxRNE+Hfggsws8bZ2zwA@mail.gmail.com> <CAJTd26JXHjqVbHs91g+oUbuBrX88geOjbGqz1EW-7TUOLgAQWg@mail.gmail.com>
In-Reply-To: <CAJTd26JXHjqVbHs91g+oUbuBrX88geOjbGqz1EW-7TUOLgAQWg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 30 Jan 2024 11:19:39 -1000
Message-ID: <CAL02cgS-Y3mVxhqiepSLj5SoLNiDaFPZs2EgsoZ7NW1xivu53g@mail.gmail.com>
To: Brendan McMillion <brendanmcmillion@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, MLS List <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000047a79f061030521b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/2KyIamhyX_B1kK2jVnq2DX0fDdA>
Subject: Re: [MLS] Recommendation for encrypted group operations
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 21:19:50 -0000

#1 is an "only" issue in those cases, but real apps care about those
situations.  Uploading the ratchet tree was a primary constraint on Webex's
scaling of MLS to support real meeting sizes.

#2 is certainly an issue in enterprise settings, but more generally, it
applies in any case where it's not acceptable to wait to enforce policy
decisions until a member empowered to enforce those decisions comes
online.  If you have a messaging space where a room moderator has set a
policy that "nobody with a Gmail address can join", do you rely on everyone
in the room to generously not add a forbidden user?  Do you rely on
reactive removals?  Or do you have the server help by quashing forbidden
joins.  You basically can't have a public room *and* usable abuse
mitigation without server assistance.

So yes, these are real concerns.

--Richard

On Tue, Jan 30, 2024 at 11:10 AM Brendan McMillion <
brendanmcmillion@gmail.com> wrote:

> #1 is only an issue if you are supporting very very large groups, or maybe
> if you have very inefficient credentials. #2 does not immediately resonate
> with me, as it sounds more like a concern that you would have in corporate
> environments?
>
> I personally have not followed the mimi wg very closely and I can not say
> why they made this decision.
>
> On Tue, Jan 30, 2024 at 12:58 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Tue, Jan 30, 2024 at 12:41 PM Brendan McMillion <
>> brendanmcmillion@gmail.com> wrote:
>>
>>> I appreciate the point about the current text seeming like an RFC 6919
>>> "should (but won't)" which is why my proposed resolution was to state the
>>> specific common reason why the recommendation wouldn't be followed. You're
>>> claiming without evidence that the recommendation should be removed because
>>> encrypted group operations have a "real cost" that is "clearly
>>> prohibitive". This sort of thinking becoming common is what I think we
>>> should try to avoid, and why the recommendation should stay. I'm working on
>>> such an MLS deployment <https://xmtp.org/roadmap>. The cost is minimal
>>> and it actually simplifies things quite a bit to assume nothing of the DS.
>>>
>>
>> Richard in fact did state evidence in his original message, specifically
>> that:
>>
>> 1. "Without this optimization, commits impose linear cost in units of
>> data sent by the committer to new joiners, and with large constants because
>> of credentials."
>> 2. "there are legitimate reasons to have a server act as a policy
>> enforcement point as a secondary check on clients (e.g., in cases where
>> clients might be adversarial to the interests of the policy controller)."
>>
>> Those certainly seem like "real costs". Do you think either of those
>> statements is untrue?
>>
>> Perhaps your argument is with "clearly prohibitive", but the relevant
>> evidence for that is that when the relevant IETF WG (MIMI) considered this
>> matter, they concluded that it was impractical to have encrypted group
>> operations. Of course, MIMI could be wrong about that, but then what you
>> should be doing is trying to convince them, and perhaps providing text
>> about why that analysis is incorrect, to go into this document. Absent
>> that, having a naked recommendation doesn't do anything meaningful to
>> impact people's behavior and, as I said, mostly makes the IETF look like it
>> doesn't have a consistent view.
>>
>> -Ekr
>>
>>
>>
>>
>>> On Tue, Jan 30, 2024 at 10:51 AM Richard Barnes <rlb@ipv.sx> wrote:
>>>
>>>> This brings us back to EKR's point about RFC 6919.  MLS supports those
>>>> things, but at real cost.  So yes, some applications might choose to take
>>>> on that cost, but to date, nobody has.  This document should be providing
>>>> guidance to implementors about how to make good engineering decisions, not
>>>> exhorting them to do the most confidentiality-preserving thing at all costs.
>>>>
>>>> BTW MIMI is making this decision intentionally -- it has already been
>>>> discussed pretty extensively, and the costs are clearly prohibitive.  The
>>>> considerations are documented in mailing list posts and minutes, and I'm
>>>> sure they will make it into the documents.  And nothing we write in this
>>>> document can compel that WG to do anything anyway, it's an informative
>>>> document.
>>>>
>>>> --RLB
>>>>
>>>> On Tue, Jan 30, 2024 at 8:19 AM Brendan McMillion <
>>>> brendanmcmillion@gmail.com> wrote:
>>>>
>>>>> You can workshop the exact text of my email, but the same point still
>>>>> stands. We could instead say we're discussing applications that "accept
>>>>> leaking group membership to a central server" and "need to use that central
>>>>> server to provide certain features". All 3 of these criteria /must/ be met
>>>>> to justify using unencrypted group operations. However, MLS was
>>>>> painstakingly designed to make meeting any of these 3 criteria /optional/:
>>>>> - MLS was designed to be secure without transport encryption
>>>>> - MLS was designed to be able to support Sealed Sender-type operation
>>>>> - MLS was designed to work on relatively simple Delivery Services that
>>>>> are agnostic to the protocol
>>>>>
>>>>> Keeping the recommendation to use encrypted group operations is not
>>>>> passing judgement on applications that use unencrypted group operations. If
>>>>> mimi (or any other application) is unable to encrypt group operations
>>>>> despite this being a first-class feature of mls, I would just like them to
>>>>> make that decision intentionally and document it.
>>>>>
>>>>> On Tue, Jan 30, 2024 at 9:48 AM Richard Barnes <rlb@ipv.sx> wrote:
>>>>>
>>>>>> My take here is broadly in line with EKR here.  I have a couple of
>>>>>> problems with Brendan's analysis here:
>>>>>>
>>>>>> First: #3 on Brendan's list says "want to" like it's a personal
>>>>>> desire, but it's actually an important objective engineering consideration:
>>>>>> Operating MLS is dramatically more efficient in large groups if a server
>>>>>> caches the tree, to the point where groups of any size are basically
>>>>>> unworkable without this optimization.  (Without this optimization, commits
>>>>>> impose linear cost in units of data sent by the committer to new joiners,
>>>>>> and with large constants because of credentials.)
>>>>>>
>>>>>> Second: #2 "don't care about leaking" similarly discounts a
>>>>>> legitimate engineering trade-off.  It's not that the apps exposing
>>>>>> membership to the server are just being lackadaisical; there are legitimate
>>>>>> reasons to have a server act as a policy enforcement point as a secondary
>>>>>> check on clients (e.g., in cases where clients might be adversarial to the
>>>>>> interests of the policy controller).
>>>>>>
>>>>>> Calling a set of apps that collectively cover billions of users "quite
>>>>>> a specific subset" is certainly a take, but not one I can agree with.
>>>>>>
>>>>>> If I were writing this myself, the outline would be:
>>>>>> * In principle, encrypting MLS handshake messages provides the
>>>>>> highest level of confidentiality
>>>>>> * In practice, this imposes heavy performance costs
>>>>>> * Here are some guidelines that apps can use to decide where they
>>>>>> want to land on this trade-off
>>>>>>
>>>>>> EKR's PR is quite close to this, so I would propose we workshop that
>>>>>> text a little and then adopt it.
>>>>>>
>>>>>> --Richard
>>>>>>
>>>>>>
>>>>>> On Tue, Jan 30, 2024 at 7:11 AM Eric Rescorla <ekr@rtfm.com> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jan 30, 2024 at 8:57 AM Brendan McMillion <
>>>>>>> brendanmcmillion@gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi mls@
>>>>>>>>
>>>>>>>> One of the first topics of discussion at our last interim was on
>>>>>>>> whether or not to keep the recommendation in the architecture draft to use
>>>>>>>> encrypted group operations whenever possible. This is issue #210 on the
>>>>>>>> repo [1].
>>>>>>>>
>>>>>>>> The desire to remove this recommendation comes from the fact that
>>>>>>>> many mls deployments and the mimi wg do not follow it. It doesn't seem that
>>>>>>>> the minutes have been uploaded yet, but my memory of the conversation at
>>>>>>>> the interim is that:
>>>>>>>> - We generally agree that encrypted group operations would, in an
>>>>>>>> ideal world, be preferred. I recall several people saying it's the "moral
>>>>>>>> thing to do."
>>>>>>>> - Acknowledging that most deployed applications don't encrypt group
>>>>>>>> operations. We listed the deployments we knew of to prove this.
>>>>>>>>
>>>>>>>> The after-the-fact answer I came up with for why most applications
>>>>>>>> don't encrypt group operations is that they can 1.) guarantee strong
>>>>>>>> transport-layer security, 2.) don't care about leaking group membership to
>>>>>>>> a central server, and 3.) want to use that central server to provide
>>>>>>>> certain features. Despite being well-represented in the mls wg,
>>>>>>>> applications that meet criteria 1, 2 and 3 is actually quite a specific
>>>>>>>> subset within the space of what MLS was designed to support. Any
>>>>>>>> decentralized application would not meet these criteria (no transport-layer
>>>>>>>> encryption). Signal doesn't either (doesn't leak membership).
>>>>>>>>
>>>>>>>> Given this, my proposal is to keep the recommendation but state
>>>>>>>> that applications may use unencrypted operations if they have an explicit
>>>>>>>> reason. I've opened a PR to that effect here:
>>>>>>>> https://github.com/mlswg/mls-architecture/pull/247
>>>>>>>>
>>>>>>>> This is in contrast with a PR from Eric that removes the
>>>>>>>> recommendation and describes the tradeoffs between encrypted and
>>>>>>>> unencrypted group operations on relatively equal footing:
>>>>>>>> https://github.com/mlswg/mls-architecture/pull/246
>>>>>>>>
>>>>>>>> Please say on the list if you have a preference between the PRs.
>>>>>>>> Thank you!
>>>>>>>>
>>>>>>>
>>>>>>> Just to clarify the process here: this is the start of a discussion,
>>>>>>> not a consensus call, though I suppose the chairs might do a consensus call
>>>>>>> later if that's necessary.
>>>>>>>
>>>>>>> With that said, while I agree that it would be better if people
>>>>>>> encrypted the group messages, the objective of IETF documents is not to
>>>>>>> talk about the ideal world but to actually document protocol specifications
>>>>>>> for people to implement.
>>>>>>>
>>>>>>> Here in the IETF, we are specifying precisely one such protocol that
>>>>>>> uses MLS, which is to say MIMI, and as Brendan notes, that protocol uses
>>>>>>> unencrypted group operations. Text like what appears in PR #246 that
>>>>>>> suggests that people ought not to do what we in IETF are in fact doing
>>>>>>> serves mostly to confuse people and make us look uncoordinated [0].
>>>>>>>
>>>>>>> -Ekr
>>>>>>>
>>>>>>> [0] See also RFC 6919 "MUST (BUT WE KNOW YOU WON'T)" and  "OUGHT TO".
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> 1. https://github.com/mlswg/mls-architecture/issues/210
>>>>>>>> _______________________________________________
>>>>>>>> MLS mailing list
>>>>>>>> MLS@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/mls
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> MLS mailing list
>>>>>>> MLS@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/mls
>>>>>>>
>>>>>>

v2.23.0 | Report a Bug | By Email