Re: [MLS] More clarity around validating proposals
Richard Barnes <rlb@ipv.sx> Fri, 13 May 2022 15:05 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80B8CC159495 for <mls@ietfa.amsl.com>; Fri, 13 May 2022 08:05:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f3PZp1Yvpx-7 for <mls@ietfa.amsl.com>; Fri, 13 May 2022 08:05:41 -0700 (PDT)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40DF3C157B50 for <mls@ietf.org>; Fri, 13 May 2022 08:05:41 -0700 (PDT)
Received: by mail-qv1-xf2d.google.com with SMTP id h13so6901466qvh.0 for <mls@ietf.org>; Fri, 13 May 2022 08:05:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=t/MlaTYjJYHfFwogyJUhQZgYCiSRV8eJVwaHKYXxMTc=; b=oojwTIzLjbNJIVw0rX8EJkw63z17QepegbFjYPGtmpffayYahGqE2Gx3fZ+A/XrniB g6czTI5uBC8nGxHPxZKRJHok2Se7awNxHGhv7j9/BFlJ351T7IMboMk25BHIN5VbcGB4 j7dTCLw8sUP+ktcsg8CpQq22QSduYKJVFPl7VgfEgiItk7YaleegOQ9d9GCawl3tuXRj QQ337yZccMasSK4m/EpbSJGeAQawHtnz2YpE0xbMYsxaq9PloQTqKAu4AZXjqXu2Hk7v Utzwqdgi+2b8TCf+rS75qYAkXtFN+yJVw5TcSYstYq9Ta9vk+p4T9GNMuvSZS8arIaFh tJYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=t/MlaTYjJYHfFwogyJUhQZgYCiSRV8eJVwaHKYXxMTc=; b=kxQJcIAGsHJUdY5eP/Yto5gPsF5kQL5+ZgzHo74q6a12qMRuL8ZHAXLi6cI5N5icfr H0N4ZOa+EAC4DHhOkGrWl/2VcHvOEQXeDkxPKJii/0vXjpmaDZ7xVZWYIi5Ra453M5SM RuQcoy70ca39a826T43hPyBwONMpzyN5Acu2+3LZsyU1IFstYC91/NZMdwMsayA3K32p PSzWk1SjSOU/WGke/UQJfCck1AZKMpOnUvmW/TP1qvca1jJSKkv98iRUiJo04qZjX+PB 07eMqzsv6O47FWho73pgvJdqRoPNw/lK8XwmIeMm8Stb3D/NKVru4Li1kOJU65FvGVc+ 0dsw==
X-Gm-Message-State: AOAM532IOdCy/+7/aFaBN1qE73HYc0FpyoMdFhcFhNTidCMn8WyS6cfi BN4bQlZLZdN34YOQhia+yREtpIY0ZqmZ30VBf3VdPQ==
X-Google-Smtp-Source: ABdhPJxYL21nhKnF89iQFtLx4xXs8gVCmbWWgsuopuWdxj8J6q95eUhUGuUw3I9ZoPT43SGzpaJ/EgahZAxJuPdW3CU=
X-Received: by 2002:a05:6214:ca7:b0:45a:8c6f:a231 with SMTP id s7-20020a0562140ca700b0045a8c6fa231mr4903330qvs.130.1652454339304; Fri, 13 May 2022 08:05:39 -0700 (PDT)
MIME-Version: 1.0
References: <eb2a59b3fe624c04a21756b2294f4c32@inf.ethz.ch>
In-Reply-To: <eb2a59b3fe624c04a21756b2294f4c32@inf.ethz.ch>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 13 May 2022 11:05:28 -0400
Message-ID: <CAL02cgR=OwnvepcbKSwmKjir6P77=75gZDY3a6DNmZRa0Ew8UQ@mail.gmail.com>
To: Mularczyk Marta <marta.mularczyk@inf.ethz.ch>
Cc: "mls@ietf.org" <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6eb1305dee60141"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/2vByU3l6sfK_SHwQguExFKN7Rlw>
Subject: Re: [MLS] More clarity around validating proposals
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2022 15:05:43 -0000
Hi Marta, Thanks for thinking about this stuff, these are good issues to clarify. I agree with your analysis, and the conclusion that the current text is ambiguous. Though I think some of the ambiguity may have been intentional, to allow for the sorts of policies you describe. It seems like there's a prerequisite question as to whether we need to be prescriptive about these things. One could imagine leaving the set of proposals committed up to the application. Different choices by the application would have implications that would be worth discussing in the spec (e.g., the members could refuse to commit a Remove sent by an external proposer), but both the risks and the possibilities to mitigate them seem more specific to application deployment contexts, as opposed to core parts of the protocol. Personally, I have a pretty strong preference for this option. If we were going to do that, I think the major impact would just be to downgrade the MUSTs on this front to SHOULDs. We should probably provide some notes of the general character you describe, but we wouldn't need to be quite so precise because we would just be providing guidance, not hard requirements. If we're going to go down the path you suggest, the text changes you propose sound about right. Though I have to say I don't love the idea of trying to implement the logic to build such a maximal list. It might be worth noting that it's possible for there to be multiple lists that are maximal in this sense, e.g. if two proposals are mutually exclusive with each other but compatible with the others. --Richard On Thu, May 12, 2022 at 12:44 PM Mularczyk Marta < marta.mularczyk@inf.ethz.ch> wrote: > Hi all, > > Me, Tom Leavy and Joël Alwen think that the text in the RFC around > validating proposals, choosing which proposals go into a commit and how to > validate a received commit could do with a bit more work. > > The root issue is that Section 13.2 states “The sender of a Commit MUST > include all valid proposals that it has received during the current epoch. > Invalid proposals include, for example, proposals with an invalid signature > or proposals that are semantically invalid, such as an Add when the sender > does not have the application-level permission to add new users.” There are > two intertwined issues with this text: > > 1. The qualifier “MUST” > 2. The text is too vague about what a “valid Proposal” is. E.g. it > could be interpreted to mean a Proposal is “valid” relative to the current > group state: Can it be applied to the group as it stands now? Then it’s > “valid”. > > > Put simply, it doesn’t make sense to only validate proposals individually. > Instead one should validate if the full list of proposals can be committed. > Indeed, other parts of the RFC enforce validation steps that apply to the > full list. E.g. > > - A ReInit proposal MUST be the only one in the commit, and other > existing proposals SHOULD be preferred (13.2.1). > > > - Out of multiple proposals affecting the same leaf, the committer > MUST choose an arbitrary one (13.2, “If there are multiple (…)”). > > > - Out of multiple PSK proposals with the same ID, the committer MUST > choose an arbitrary one (13.2). > > > In fact, once extensions come into play there are likely many more similar > situations, even ones affecting lists of otherwise benign proposals (e.g. > Add/Remove). Suppose a chat app is built on MLS with a custom room > moderator roles extension. The app wants MLS to enforce two rules: Only > mods can Add/Remove. Rooms should always have at least 1 Mod. Here’s how > the RFC’s current text can become a problem: A and B are the only mods in a > room. A makes proposal P1 that removes B. Meanwhile, B makes prop P2 that > removes A. C gets both proposals. What should C do? > > - Option 1: validate & cache both proposals. → Problem: C can no > longer issue a commit as it “MUST include all valid proposals”. > (Alternatively, it does commit to both as instructed by the RFC which > leaves the room without a mod.) > > > - Option 2: validate & cache the first prop received (say, P1), but > reject P2 as validating both means C can’t commit. → Problem: If someone > else commits to P2 by ref. C can’t process the commit as it doesn’t “know” > P2. > > > So, to clean all this up a bit more we are working on a PR with 2 main > changes: > > 1. In 13.2, replace “The sender of a Commit MUST include all valid > proposals that it has received“ by ”The sender of a Commit MUST commit to a > maximal valid list of proposals. The conditions making a list of proposals > 'valid' for an epoch are described in Section 13.4. A valid list is > 'maximal' if adding any other received proposal would result in an invalid > list.“ > 2. Add Section 13.4 which collects all rules for validating proposals > (currently in 13.2, 13.1, 11.1, 8.3) into 3 procedures: validating an > incoming proposal, validating a list of proposals on creating a commit and > on receiving a commit. > > > We’d be happy to hear what people think about this! > > Marta > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] More clarity around validating proposals Mularczyk Marta
- Re: [MLS] More clarity around validating proposals Konrad Kohbrok
- Re: [MLS] More clarity around validating proposals Richard Barnes
- Re: [MLS] More clarity around validating proposals Mularczyk Marta
- Re: [MLS] More clarity around validating proposals Richard Barnes
- Re: [MLS] More clarity around validating proposals thomas leavy
- Re: [MLS] More clarity around validating proposals Richard Barnes
- Re: [MLS] More clarity around validating proposals thomas leavy
- Re: [MLS] More clarity around validating proposals Richard Barnes
- Re: [MLS] More clarity around validating proposals Mularczyk Marta
- Re: [MLS] More clarity around validating proposals Rohan Mahy