Re: [MLS] Supporting Large Groups
Richard Barnes <rlb@ipv.sx> Tue, 02 October 2018 23:17 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60968131118 for <mls@ietfa.amsl.com>; Tue, 2 Oct 2018 16:17:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kugONetSYek6 for <mls@ietfa.amsl.com>; Tue, 2 Oct 2018 16:17:48 -0700 (PDT)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37CF41310CA for <mls@ietf.org>; Tue, 2 Oct 2018 16:17:48 -0700 (PDT)
Received: by mail-ot1-x32f.google.com with SMTP id e18-v6so3695669oti.8 for <mls@ietf.org>; Tue, 02 Oct 2018 16:17:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SD7rVYMQGvydIzyXDFondnnaEpsH3nIKeCyHvig9254=; b=Q8WCDrlNDqDVxqvRF3+r/76V1q7ahmY3gBE23Auk4g+4rKJ47kiXnXSiEEpV+6+3eZ 4oIz1Hs9/9ss8lqA/MdoCtDri81cElJlX54hwPPusIgTu6y50b30H81CNXkQZ4X6WLCH fQjV7PRitAgKCCls//BsvAQ45KaJ10oh8sh2MLrqx/yvwJPY6CREDw8aBtLAYaujllV9 Lktc+1Dj3gQ1hpTkXvhDXnGSQ9CObh6w4rD8TXGlp4WSOg69+RvuxQotqEK0Ayfg0NC+ ySXfGNrQSbHMzW9A0Gz7X56kIznZ9zO5ylQ8tZc/XLaZ+B3F0u4AV0d/ijaBshJ77ByL BQ2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SD7rVYMQGvydIzyXDFondnnaEpsH3nIKeCyHvig9254=; b=SOSBmvr9BZS2qey4YHNXhwPKTBhbEDaVb4Zr6kyhizuyLJpeWXPOWl9fHdOSOB9EQ4 ODF4o4glzk1Pg89Mj495NZRExrTlI5mkqytVZDoz/HT9lR5yyyqd5tLBSrLOGIlUGFx+ AXDz9GMu0Ylb17YeDuyQsoJcAQip37uf5Jh0jM4z/Rv+nuzwugrbnjUoCiYG6cJ+c6oQ nR3U1lATaSk8mDXbz79m27bf7/+vAa+BTXaHevvKj3NSvRGSx6dxyWMFGEtl1vfhCB1W K3do+zj5E9RIRGBzOzBklXBle8lVI27p10QJJ6+JGxSJnPkAuaImxY/nyBy8KIm2Zcll 8jAw==
X-Gm-Message-State: ABuFfogiu2e99lN5NutVIq0bYc3hczBhCx5j7YO85qttccxbWwT5Wrly qKX8s+vZvN9mvsJxpD+TtCHupmGsP2jtzQZv+6M0VjuJYsE=
X-Google-Smtp-Source: ACcGV60RHwrmkgioixODQ++SWw/8RKKEXaQ4zzXy1QjqsYLObopJh7g5cZ3LJfMpf6+5qHLLoNOdgeZEBGdWI81bMG4=
X-Received: by 2002:a9d:764d:: with SMTP id o13-v6mr9854323otl.116.1538522267311; Tue, 02 Oct 2018 16:17:47 -0700 (PDT)
MIME-Version: 1.0
References: <CABP-pSReq6_SmaB_q4nm_K4Z055KJ3N+r1OqFjXeXnxmVqKCxg@mail.gmail.com>
In-Reply-To: <CABP-pSReq6_SmaB_q4nm_K4Z055KJ3N+r1OqFjXeXnxmVqKCxg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 03 Oct 2018 01:17:30 +0200
Message-ID: <CAL02cgQH5hQ0+W9J1aV4WhFD1JviKt4D1Xe2zm8R383910aYzw@mail.gmail.com>
To: brendan=40cloudflare.com@dmarc.ietf.org
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000038f9f305774721c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/6DxvudhD30Mz3uerbyZpNt1GN8o>
Subject: Re: [MLS] Supporting Large Groups
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Oct 2018 23:17:52 -0000
Hi Brendan, I'd like to argue that this can be done by a client implementation without affecting the overall protocol. If an implementation can keep a group of clients in sync with regard to the appropriate secrets (primarily init keys, and a (leaf DH key, signature key) pair per group), then they can effectively act collectively as one member of the overall group. You could even imagine doing this by using MLS to sync across the subgroup. By the same token, since this can be done via sync within a subgroup, it doesn't seem like we need to do anything to the base MLS spec to support this style of composition. If folks have an interest in having a standard way to sync stuff, it might make an interesting follow-on spec. That said, the whole point of MLS vs. earlier linear / N^2 protocols is to be able to scale farther. Exactly how much farther will depend on your specific tolerances, but ISTM that O(10^5) should be acheivable with relatively modest overhead. --Richard On Wed, Sep 26, 2018 at 10:05 PM Brendan McMillion <brendan= 40cloudflare.com@dmarc.ietf.org> wrote: > Hello mls@ > > My current understanding of the MLS protocol is that every user must be > individually invited to every chat room that they're a member of. This has > a lot of bad usability and performance properties for the case where you > want to invite the same large set of people to several different rooms. For > example, you could think about "everyone@company.com" being invited to > rooms for "Product A", "Team B", etc. I think it would be easy enough to > address this in the standard: > > Rather than only being able to add one user at a time, you could introduce > a mailing list-type concept where many people are represented by a single > email address / public key. Group membership, and therefore the group > public key, would be maintained by the same system that stores user > identity keys. > > I think there are probably a lot of valid ways to construct a group public > key, so standardizing a specific construction would be less useful than > just defining the necessary properties and how it would interact with the > protocol. What makes sense to me is: groups have only init keys which are > known to all group members, and no identity keys. This means that group > members can read messages but not send them (with the exception of an > Update message). To speak in a room, a group member must first send an Add > message for themselves. They can send the Add message because they know all > of the room secrets, through their knowledge of the group init private key. > > An Update message can be sent on behalf of a group to occasionally update > the group init key, without requiring any specific member of the group to > join the room. Rather than signing the message to authenticate it, they > would have to provide some evidence from the Key Store that this is really > the group's updated init key. Note that in the interest of efficiency, a > group init key would likely be semi-static and re-used between several > rooms, unlike user init keys which are only used once. > > Any comments or suggestions are welcome. > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] Supporting Large Groups Brendan McMillion
- Re: [MLS] Supporting Large Groups Richard Barnes