Re: [MLS] multiple devices per user?

Rich Persaud <persaur@gmail.com> Mon, 26 March 2018 09:16 UTC

Return-Path: <persaur@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B5D51243F6 for <mls@ietfa.amsl.com>; Mon, 26 Mar 2018 02:16:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P5-KHdWf9AOv for <mls@ietfa.amsl.com>; Mon, 26 Mar 2018 02:16:32 -0700 (PDT)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A9E51241FC for <mls@ietf.org>; Mon, 26 Mar 2018 02:16:32 -0700 (PDT)
Received: by mail-it0-x22e.google.com with SMTP id p67-v6so9835812itc.2 for <mls@ietf.org>; Mon, 26 Mar 2018 02:16:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6SAMVEi+gMJJNJ78lK3d7mx/E8/cuCpG+WRnVXdMtyA=; b=gIO7pq8Gg3y5GpoZYtWRYyOQ2cpxVfSy6T80UgwJ5rET4SudCwY1CeaS3u6EIcQQ5L kDaZxAxdBEE50MT8YNj/bGBrWBbDGV/AuCJfFv4qYBpYIvLD9ge6r1zw7mbjlzO+MKZ0 Fx2xe2YGsLc+88Mj3EBqvMTTPJpDSPBK1pre/8VSEgY3bNLOaRu5tKFO2fsd19dPhsSW sWziErL58nFP4Xys0q1sOHuMvnn14NicW/D5oVGPtXNXzhT6Mxd3xMWg2P3R70oBYhDM 4gvGaVV1k6BtoVLuXiauxM6HyM1b7YW7dKncifbKWdkvX0mHO05iI0HxDaqTaNq+fLia Klnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6SAMVEi+gMJJNJ78lK3d7mx/E8/cuCpG+WRnVXdMtyA=; b=gVCuL73haZaIFp1hQlWSEJxvmU4oxTMha42IUh3cr6SQrJP7GksswQZLPdIcaN7KfF QgBnCNL612uhiETI9WGqxtxRGsXmfAanBYUYtcICRZ4RvUHWn2lQuE+aoyxrFN0PV7LO uzQpx5nzbnIwkkKLQKdE6OB6/dw3jbTdF0ZVXwicJ+tW/4nU9TzYS4HHYgzMlw3Iyv5d 9+zlGXxyD/C9/JizKkZvzn2og0p1ntjkEmrEx5obI3HmJLc5L7ivShpb6EqXz6yOSWXx 135xaMmGaflC46tSKbM7D43CA5Py/jeVoUz2Buwst5GXd9H+rrROzaYmJpUCGL28ICfR IxtA==
X-Gm-Message-State: AElRT7GN40dyZAE+26WjnqB367D84MYqUN44iondFEcviQMJZGtKqLk6 H4QTU/Amrm0rRywrFtzuEPw8HLzn
X-Google-Smtp-Source: AIpwx49R0ZTaH0GoxBngUPTXmIo68BLliFHw7NMQVX43kfedr9Vnp15GFQ/2w7K91VWNCcsY7QoH4Q==
X-Received: by 2002:a24:30c:: with SMTP id e12-v6mr3837886ite.50.1522055791809; Mon, 26 Mar 2018 02:16:31 -0700 (PDT)
Received: from [100.64.72.2] ([173.245.215.240]) by smtp.gmail.com with ESMTPSA id k4-v6sm9634694ith.4.2018.03.26.02.16.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Mar 2018 02:16:30 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-A10A8F7A-23E4-4486-A6F7-C7FB8D14718D
Mime-Version: 1.0 (1.0)
From: Rich Persaud <persaur@gmail.com>
X-Mailer: iPad Mail (15D100)
In-Reply-To: <CABcZeBOAaA2_SRSimo2-x-jCw=YjvDsU7h0kPzU9WroTBBHoKA@mail.gmail.com>
Date: Mon, 26 Mar 2018 05:16:30 -0400
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, mls@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <7F2CA103-751F-4386-BC47-34FD5E337FC6@gmail.com>
References: <87efk9m7e9.fsf@fifthhorseman.net> <CABcZeBOAaA2_SRSimo2-x-jCw=YjvDsU7h0kPzU9WroTBBHoKA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/CzXqnTpnx30WyuQQt77i7C9XDqA>
Subject: Re: [MLS] multiple devices per user?
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 09:16:34 -0000

On Mar 24, 2018, at 18:42, Eric Rescorla <ekr@rtfm.com> wrote:
>> On Sat, Mar 24, 2018 at 10:32 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>> 
>> Furthermore, it's not clear what a group conversation participant can
>> *do*, security-wise, in the event of recieving such a message from
>> another participant -- is this actually a new phone, or is it a wiretap
>> injection?  should i ask the user about it?  should i take action?  what
>> ction?

In Wire, if Alice has marked each of Bob's device fingerprints as "verified", then the addition of a new device by Bob results in an immediate message to Alice.  The recommended action is to verify the new fingerprint out of band, then Alice can mark Bob's new device as "verified". 


> Generally, I wouldn't expect them to take any action at all. It's a user's
> responsibility to ensure that the right number of devices are registered
> to their account, just as its common for the number of Web browsers
> one has attached to ones Gmail account.

Here is a scenario on iOS:

(1) User is logged into Facebook via Chrome.  User is not logged into Facebook in Safari, to avoid Facebook tracking on non-Facebook websites visited in Safari.

(2) User receives FB email notification in Apple email.  If user clicks on a link in the email, it opens in Safari and Facebook *automatically logs the user in without a password*.

(3) User then receives FB email notification that they have added a new device.

(4) User must now manually log out of Facebook, then click on a tiny close button on account icon to delete the cookie associated with that user, to avoid Facebook tracking on non-Facebook websites.  That removes (?) the browser as a known device.

Each of the individual UX decisions above could make sense in some contexts, but when combined on iOS where the user cannot choose the browser in which email links are opened, it leads to an undesirable UX where the user must invest repeated effort to ensure that the right number of devices are registered to their account.

Rich