IETF Logo Mail Archive

Re: [MLS] More clarity around validating proposals

Richard Barnes <rlb@ipv.sx> Fri, 13 May 2022 18:16 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 159A8C180A9C for <mls@ietfa.amsl.com>; Fri, 13 May 2022 11:16:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2OgA5Yops_LL for <mls@ietfa.amsl.com>; Fri, 13 May 2022 11:16:27 -0700 (PDT)
Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE7E9C180A99 for <mls@ietf.org>; Fri, 13 May 2022 11:16:27 -0700 (PDT)
Received: by mail-qv1-xf2a.google.com with SMTP id eq14so7250214qvb.4 for <mls@ietf.org>; Fri, 13 May 2022 11:16:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nMDfJ6pMdLUVJ64OR7ubnfKqlKa57vgfwWoUbprR7gw=; b=zXub+Kd4vMEpn2fzaGd9a+rYmAYwGAyle8qQU4wljfm/lTlzOUPWK2wAiTWphVLmZc B6mURIdkukdr+SuvejQ/RZE7P8zf/uS/2ANkay35aGqQsBa1EyThy3+rAT/hKd/cFKOO KOy2Z82l99kwnGhX+Be71EJLweYJlbT9QZvvSGGNmG/Mptl0zNY7Q6ct1+qD47bpxzOT pJprhDkH3f6XqDMMFDMcoK8CETEkiDz5aALzYRt1/zVU103oWxkiEogWbrCjbD/xXBYh A0ueM3oD46EKACVwhxzzdKu8cLL6HDTYamXj04Y8++YqV2aDlfGzS2wEdcgmQao5og8b jFcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nMDfJ6pMdLUVJ64OR7ubnfKqlKa57vgfwWoUbprR7gw=; b=6eY2T2updeq7HRAlEyDjy0XfLusGAfh0WkjfEMHTfvDWdCUG47nfCuePexQ9Oji3Ie W5Co8sPTnT8KSimwKyzGrcJYlzAGGAljtcpVbnY0kNiDti5kvTdYO07EWNdeVt85JxSD Bqj4oGhGm67ZVAo4CGHGxDjdnzyFv1WfJqoMl6e60uoLB7aMbYX4Gql2bawmKrG/4aMA TuzWH34ftuJwtbPzDXKLaEPJNXt8XiOaKQjLdTre0S0iG/WlbTAJjdu/emcnfNXlkC8F +VtXWbuogYK7q1QcNW5X4yZWDwCweneI9vrOux8HePWpZhyLAFGHn6ux/gQjvp2VwT41 0AVg==
X-Gm-Message-State: AOAM532g4irHZlxrx1uS0uzPr8JWY87B1lrTcx7p266d1R9NQFBOZSYf 305otZJR/yIIUf+yi6WSwt0UpLx9HzKYdj0KtAYRqQ==
X-Google-Smtp-Source: ABdhPJw/fs/At5Pf2B9q9F62rgkvszEBdpkWIyVyr6TYbdhFNDgneXtk/duRul0DhCtOMrS7Bk8QaRngP1HU/lgyQ3k=
X-Received: by 2002:ad4:5bc1:0:b0:42c:531c:ef12 with SMTP id t1-20020ad45bc1000000b0042c531cef12mr5777901qvt.15.1652465786128; Fri, 13 May 2022 11:16:26 -0700 (PDT)
MIME-Version: 1.0
References: <eb2a59b3fe624c04a21756b2294f4c32@inf.ethz.ch> <CAL02cgR=OwnvepcbKSwmKjir6P77=75gZDY3a6DNmZRa0Ew8UQ@mail.gmail.com> <067f3ffba04c4fcfad851323a9936339@inf.ethz.ch>
In-Reply-To: <067f3ffba04c4fcfad851323a9936339@inf.ethz.ch>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 13 May 2022 14:16:15 -0400
Message-ID: <CAL02cgQSEf+wZj5zm+BEYoHwEBCGdzLbSP1_1NBjSN-bpk88gA@mail.gmail.com>
To: Mularczyk Marta <marta.mularczyk@inf.ethz.ch>
Cc: "mls@ietf.org" <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002fa11105dee8accc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/5drA7I7909E-FReHe-6w8qsJuDU>
Subject: Re: [MLS] More clarity around validating proposals
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2022 18:16:29 -0000

Inline...

On Fri, May 13, 2022 at 2:04 PM Mularczyk Marta <marta.mularczyk@inf.ethz.ch>
wrote:

> Hi Richard,
>
> Thanks for the input! In fact, we’re all for downgrading MUSTs to SHOULDs.
> I think it still makes sense to collect all the rules / guidance from the
> RFC into a single section 13.4. It would contain:
>
>
>    1. Properties that a committed vector of proposals MUST satisfy. They
>    are required for correctness or security of MLS.E.g.
>       1. There MUST NOT be a proposal removing the committer
>       2. ExternalInit MUST only be used in external commit
>       3. The signature MUST verify
>    2. Properties that a committed vector of proposals SHOULD satisfy,
>    i.e., general guidance). E.g.
>       1. There SHOULD be at most one proposal affecting a leaf
>
>
Sounds good to me.  A few other ideas:

- ExternalInit MUST NOT appear outside of an external Commit (i.e., only if
sender.type == new_member)
- There SHOULD NOT be an Update proposal for the committer (in particular,
no Updates by value)
- There SHOULD NOT be Update and Remove proposals for the same leaf
- There SHOULD NOT be more than one GroupContextExtensions proposal (they
will overwrite each other)
- Might say "SHOULD NOT be more than one" instead of "SHOULD be at most one"

Look forward to the PR.


> > Though I have to say I don't love the idea of trying to implement the
> logic to build such a maximal list.
>
> Very simple :) Say you have a proposal list L. To build a maximal valid
> list, start with an empty list LVal. Then for each P in L, do: if LVal with
> P appended is valid, append P to LVal. Else, continue.
>

That gives you *a* maximal proposal list -- but maybe not the one that's
right for the situation!  It's dependent on the order in which you consider
P in L, so if there are two incompatible proposals, you'll take the first
one.  Might or not be the right outcome.  There are good algorithms here,
they're just more complicated than "whatever the application says" :)

--Richard


>
> Best,
> Marta
>
> ------------------------------
> *From:* MLS <mls-bounces@ietf.org> on behalf of Richard Barnes <rlb@ipv.sx
> >
> *Sent:* Friday, May 13, 2022 5:05:28 PM
> *To:* Mularczyk Marta
> *Cc:* mls@ietf.org
> *Subject:* Re: [MLS] More clarity around validating proposals
>
> Hi Marta,
>
> Thanks for thinking about this stuff, these are good issues to clarify.  I
> agree with your analysis, and the conclusion that the current text is
> ambiguous.  Though I think some of the ambiguity may have been intentional,
> to allow for the sorts of policies you describe.
>
> It seems like there's a prerequisite question as to whether we need to be
> prescriptive about these things.  One could imagine leaving the set of
> proposals committed up to the application.  Different choices by the
> application would have implications that would be worth discussing in the
> spec (e.g., the members could refuse to commit a Remove sent by an external
> proposer), but both the risks and the possibilities to mitigate them seem
> more specific to application deployment contexts, as opposed to core parts
> of the protocol.  Personally, I have a pretty strong preference for this
> option.
>
> If we were going to do that, I think the major impact would just be to
> downgrade the MUSTs on this front to SHOULDs.  We should probably provide
> some notes of the general character you describe, but we wouldn't need to
> be quite so precise because we would just be providing guidance, not hard
> requirements.
>
> If we're going to go down the path you suggest, the text changes you
> propose sound about right.  Though I have to say I don't love the idea of
> trying to implement the logic to build such a maximal list.  It might be
> worth noting that it's possible for there to be multiple lists that are
> maximal in this sense, e.g. if two proposals are mutually exclusive with
> each other but compatible with the others.
>
> --Richard
> On Thu, May 12, 2022 at 12:44 PM Mularczyk Marta <
> marta.mularczyk@inf.ethz.ch> wrote:
>
>> Hi all,
>>
>> Me, Tom Leavy and Joël Alwen think that the text in the RFC around
>> validating proposals, choosing which proposals go into a commit and how to
>> validate a received commit could do with a bit more work.
>>
>> The root issue is that Section 13.2 states “The sender of a Commit MUST
>> include all valid proposals that it has received during the current epoch.
>> Invalid proposals include, for example, proposals with an invalid signature
>> or proposals that are semantically invalid, such as an Add when the sender
>> does not have the application-level permission to add new users.” There are
>> two intertwined issues with this text:
>>
>>    1. The qualifier “MUST”
>>    2. The text is too vague about what a “valid Proposal” is. E.g. it
>>    could be interpreted to mean a Proposal is “valid” relative to the current
>>    group state: Can it be applied to the group as it stands now? Then it’s
>>    “valid”.
>>
>>
>> Put simply, it doesn’t make sense to only validate proposals
>> individually. Instead one should validate if the full list of proposals can
>> be committed. Indeed, other parts of the RFC enforce validation steps that
>> apply to the full list. E.g.
>>
>>    - A ReInit proposal MUST be the only one in the commit, and other
>>    existing proposals SHOULD be preferred (13.2.1).
>>
>>
>>    - Out of multiple proposals affecting the same leaf, the committer
>>    MUST choose an arbitrary one (13.2, “If there are multiple (…)”).
>>
>>
>>    - Out of multiple PSK proposals with the same ID, the committer MUST
>>    choose an arbitrary one (13.2).
>>
>>
>> In fact, once extensions come into play there are likely many more
>> similar situations, even ones affecting lists of otherwise benign proposals
>> (e.g. Add/Remove). Suppose a chat app is built on MLS with a custom room
>> moderator roles extension. The app wants MLS to enforce two rules: Only
>> mods can Add/Remove. Rooms should always have at least 1 Mod. Here’s how
>> the RFC’s current text can become a problem: A and B are the only mods in a
>> room. A makes proposal P1 that removes B. Meanwhile, B makes prop P2 that
>> removes A. C gets both proposals. What should C do?
>>
>>    - Option 1: validate & cache both proposals. → Problem: C can no
>>    longer issue a commit as it “MUST include all valid proposals”.
>>    (Alternatively, it does commit to both as instructed by the RFC which
>>    leaves the room without a mod.)
>>
>>
>>    - Option 2: validate & cache the first prop received (say, P1), but
>>    reject P2 as validating both means C can’t commit. → Problem: If someone
>>    else commits to P2 by ref. C can’t process the commit as it doesn’t “know”
>>    P2.
>>
>>
>> So, to clean all this up a bit more we are working on a PR with 2 main
>> changes:
>>
>>    1. In 13.2, replace “The sender of a Commit MUST include all valid
>>    proposals that it has received“ by ”The sender of a Commit MUST commit to a
>>    maximal valid list of proposals. The conditions making a list of proposals
>>    'valid' for an epoch are described in Section 13.4. A valid list is
>>    'maximal' if adding any other received proposal would result in an invalid
>>    list.“
>>    2. Add Section 13.4 which collects all rules for validating proposals
>>    (currently in 13.2, 13.1, 11.1, 8.3) into 3 procedures: validating an
>>    incoming proposal, validating a list of proposals on creating a commit and
>>    on receiving a commit.
>>
>>
>> We’d be happy to hear what people think about this!
>>
>> Marta
>>
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/mls
>>
>

v2.23.0 | Report a Bug | By Email