IETF Logo Mail Archive

Re: [MLS] Subgroups

Brendan McMillion <brendanmcmillion@gmail.com> Wed, 20 March 2024 02:18 UTC

Return-Path: <brendanmcmillion@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E93E2C14F69C for <mls@ietfa.amsl.com>; Tue, 19 Mar 2024 19:18:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmjxulAjqpGC for <mls@ietfa.amsl.com>; Tue, 19 Mar 2024 19:18:17 -0700 (PDT)
Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com [IPv6:2607:f8b0:4864:20::e33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57010C14F68B for <mls@ietf.org>; Tue, 19 Mar 2024 19:18:17 -0700 (PDT)
Received: by mail-vs1-xe33.google.com with SMTP id ada2fe7eead31-476614cb2e7so1532858137.3 for <mls@ietf.org>; Tue, 19 Mar 2024 19:18:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710901096; x=1711505896; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=j3Z5o7AEP889O1CixRO4E5IFzMmAyKcg5KX321y9rQ8=; b=nEaCFuWodhv9p8O9m8/Iv17NwJzN/AfLvz9SRfUA9g2ss0lds33Geph8o1cnMuYwiX e7UoNP8lRfpA8XCDnSJ1iU282TXUnr1Emg9BqvTU+MtRHabJVZ+6b9JcsgXwSXpQmVvb jdzmwPDQ2bpb3Kyu0JmUsJUexAPLmC1c1ubaSWHXEB/UJMuZUMgxVo8kKWLzWqdITHeI OOPuxdaPTkhLyRD6OGg0pr0McADDj/wBKk4tFS88LbveWdIiXgiSuYDJ2hOqfKrZbOsy dlWZXtS+c9NgrbuDx74gdPKVYwwwpdvGgQ1tPOVsPOwL14uavHKZueXsuX1w7Wz/BTZh iKVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710901096; x=1711505896; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=j3Z5o7AEP889O1CixRO4E5IFzMmAyKcg5KX321y9rQ8=; b=kx5eV6GpBvnG7XAJXpO0wB5CTs8EwFL+qbdAhis6+N9r0om4HF630PSbLENzG1xMlv hQNIfIszz9DCXiV+lcDm5lPBP/tUIAjKg8nQlDrY5KXZik0sBIs3qcfF8095KThcyIQT X8a5vNkx651seXkbVrYVpPiQjFXOqFgVHQt1oq3upqnut2alAYODeuqP4cCz1+PhBrnT SxO1k+BERrDIuysHT54gsW/rbjvkTuWuXK3943xTbmG3Wn808dtSqACa2xz/hfUYAxWA lf1YxL92Azy2Je+xHqW6RkXHIsXCVvZKSx/qKjAm6dgndoxcXk8/nSp7yrbqaIunkwpV csZQ==
X-Gm-Message-State: AOJu0Yz34T8JMkmfYVN7ZjdVYsUDS3Z5w738wPL4uhhfvkwkvnCVmfRy lnrfDwObeL1Sv5dyh2/4tK2BnrxfugK9f6sZ3tVkfzHvB45gnwy1cgXqeuZ01jBUziVx6aDdH4u gF39J1f3pxwenuQvw96T02G0jrrkPu4WOE2s1qCaB
X-Google-Smtp-Source: AGHT+IG1VrxFi5rB9kFWU4RGNA7o2uYk+4f2zSl1esmt+AsJ7zB2NSU8p5jFe3Oa0r3XUThGV9T66VFjHGR0+ZrNlNY=
X-Received: by 2002:a67:f650:0:b0:473:4d73:5e1c with SMTP id u16-20020a67f650000000b004734d735e1cmr15771105vso.9.1710901095917; Tue, 19 Mar 2024 19:18:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAJTd26+ZU9_iwRAWW7aFLTh2vo35YDQc5_vLh+pOVjKeBNY6XQ@mail.gmail.com> <15C66118-2240-4891-81A6-228CF094459F@datashrine.de>
In-Reply-To: <15C66118-2240-4891-81A6-228CF094459F@datashrine.de>
From: Brendan McMillion <brendanmcmillion@gmail.com>
Date: Wed, 20 Mar 2024 12:18:04 +1000
Message-ID: <CAJTd26JLVS9o6CopXRgKY_VJqTyRj30ggJpKM3+DWi39nMJdKA@mail.gmail.com>
To: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
Cc: MLS List <mls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000116e7806140e3436"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/8h6l10dYVfBGdv0jQY3HyRLVClo>
Subject: Re: [MLS] Subgroups
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 02:18:21 -0000

Hi Konrad

I was able to publish the draft properly here:
https://datatracker.ietf.org/doc/draft-mcmillion-mls-subgroups/

This includes some updates from your feedback, also detailed below

On Tue, Mar 12, 2024 at 6:23 AM Konrad Kohbrok <konrad.kohbrok@datashrine.de>
wrote:

> Hi Brendan,
>
> Thanks for writing this up! Some comments:
>
> # 1 Introduction and 2 Conventions and Definitions
>
> - The language in the document is very specific to the use-case of a
> single user with multiple devices. As there are a few other use-cases for
> such a virtual clients protocol, it might be better to keep the terminology
> a bit more general.
>

Yes, that's intentional. Almost all the content of the draft is about how
to hide which device sent a message or generated a key. That design
constraint seems unique to the multi-device use case and wouldn't apply to
say, subgroups representing an organization, etc.


> # 3.2 Private Keys
>
> - There is a third instance where emulator clients will have to share
> randomness and that is to compute `path_secret[0]` as described in 7.5 of
> the MLS spec. It shouldn’t be a problem to include just add an extra
> deterministic key derivation step, though.
>

Ah yes, I was misled by Fig 14 of RFC 9420 into thinking that
path_secret[0] is already derived from leaf_secret.


> - I always thought that we’d have to rely on commits to coordinate the
> actions of emulator clients, but the including the encrypted PrivateKeyInfo
> is a neat way of doing so indirectly. At least for KeyPackage uploads.
> - If an emulator client uploads KeyPackages, it should probably also
> inform other emulator clients of the KeyPackage’s hash s.t. when they
> receive a Welcome (on behalf of the virtual client) they know which key to
> use for decryption. The other emulator clients can’t learn that hash from
> the Subgroup Extension, because they might not have access to the group’s
> tree if the group relies on RatchetTreeExtensions to transmit the ratchet
> tree. I don’t think that’s covered yet.
>

I'm not sure we need to specify a protocol mechanism for this, as it is not
security-sensitive and there are a lot of valid ways for the DS to handle
it. The device can use an endpoint that allows fetching KPs by reference,
the DS can send the relevant KP along with the Welcome, or KPs can be
synchronized in the background.


> # 4 Application Messages
>
> - As I’ve already mentioned in my other mail, I’m not sure relying on
> DS-client coordination to prevent key reuse is necessarily better than the
> use of an extension, but that might depend on your use-case. My hope is
> that we can eventually come up with a way to avoid both.
>

For the functional aspect of preventing reuse: I think we need to consider
solutions in terms of whether the DS or Strongly Consistent or Eventually
Consistent. A Strongly Consistent DS can allow devices to check that
they've processed all of the messages sent to a group before sending their
own message. This would solve the problem. With an Eventually Consistent
DS, devices may simply need to retain encryption keys for a short while
after they're used. Clients with an Eventually Consistent DS would
generally already be retaining secrets longer than the deletion schedule
advises, so it would not be unusual.


> # 5.2 Joining Externally
>
> - The process of discarding Welcomes is not quite clear to me. Is that
> meant to be done by the other emulator clients once they come back online?
> Or do we assume that the new emulator client can somehow access the pending
> messages of the offline clients? In the latter case, how would the new
> client even know what groups they are for? In any case, we should be very
> clear about things that do or don’t work when allowing external joins this
> way.
>

Yes, there's an assumption that the new device can discard Welcomes sent to
the virtual client before the external join happened. The new device can
ask the DS for the list of groups that the virtual client is a member of --
the DS has this information as a result of supporting External Joins in the
first place.


> Overall, the protocol looks like a good approach to me. Do you want to
> create a PR against the existing virtual clients doc, or do you prefer to
> maintain a separate document for now?
>

I'm not sure what the best resolution would be


> Cheers,
> Konrad
>
>
> Am 11.03.2024 um 04:51 schrieb Brendan McMillion <
> brendanmcmillion@gmail.com>:
>
> Hi mls@
>
> I wrote a draft today on how I would propose implementing the subgroups /
> virtual clients feature. I'm not currently able to submit it to the
> datatracker, but it is here:
> https://bren2010.github.io/draft-subgroups/draft-mcmillion-mls-subgroups.html
>
> Handling all of the edge cases I could think of, it still came out to be
> quite a simple proposal. Any feedback would be appreciated
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>
>
>

v2.23.0 | Report a Bug | By Email