IETF Logo Mail Archive

Re: [MLS] Recommendation for encrypted group operations

Eric Rescorla <ekr@rtfm.com> Tue, 30 January 2024 20:58 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72A7BC14F6B3 for <mls@ietfa.amsl.com>; Tue, 30 Jan 2024 12:58:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bPdVP3n1zATc for <mls@ietfa.amsl.com>; Tue, 30 Jan 2024 12:58:29 -0800 (PST)
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 436FAC14F5FD for <mls@ietf.org>; Tue, 30 Jan 2024 12:58:29 -0800 (PST)
Received: by mail-pj1-x102e.google.com with SMTP id 98e67ed59e1d1-29041136f73so2299145a91.0 for <mls@ietf.org>; Tue, 30 Jan 2024 12:58:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1706648309; x=1707253109; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nhD3TbqjCoJe9z3x/8le4EcmSykdSyaOFpS008ZPcJE=; b=IVs9BYP14/qHIIajzK3hB1OIOtm5sMP1FUCDUWNzm01ATj6Qatp1O0EtoaQg6K3P1w mdEKQCpm1qVgz2R7+k+S0db2o+jtcquJVpYwRSJAPuOcf+1YevE8Y/aNL0DSmjgkfO1c cpgBLtDOzl9V2bxeUWvEG2l+eFytQxKsg7KY4RiI5RQGuctmYkjxAoUoKjKEZXu9ZZJA I8v4Noq7yu3N9oTH2SbB9lcE6/mFp7PDHaAXMZgIkFyTiH4OS3RufGkClhSRYb2YHtKG YHCMW0UJvbrD6pVtMmgrsO/WyuMTYzyuSJGeMAJSWV96ytFx3F6BXbCmdABMiB2tsuKq EvYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706648309; x=1707253109; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nhD3TbqjCoJe9z3x/8le4EcmSykdSyaOFpS008ZPcJE=; b=pc2+Sl2AFxoczU+VqGlR89/4wmT0iAnWoiKCFKHeQtkqn10rHjzqTWAKweRCMHYwuL D7LTyzOx8ktGdPvQivwU/YrBkqvcvGfvpqAOtwtSdLKjtXzTQo7ia99OLaJ2R8TYTbT9 NUUf9jw8Am5wzFVZZPsz82cjmA7arNpHiQaZrXhd1rNtjNpsYse4CeHXMywgkXaO6aTA yD8AN7xbIJb0KWcDy0Hjug7haZeEepyDOzx5PwlcBIo0/ozfU0ihoXTsQj2d3W3qM2V3 Q7x7x0Q70vQfldPN/MONZ8wTlPUF/YLhTWr23cqBbR7Y+02SHCGVciPioqEWGlfk3fpq o1aQ==
X-Gm-Message-State: AOJu0Yxa6C5xV4PkEn0zPNidW+8uwyy+1dyYdgMLVh9kEF6nFh5waWAU GvWSkt9aZL4Tl256U2n0L5RnZ1bzNztCIVC+rxBR4ffh++UvcLqYgIUkNNeD0wSdREqQNAwFvzV 2I48v4ZCOymt1kwmBN6qsbfzQjH58rF1Ic/rujKk3R+gQu0///30=
X-Google-Smtp-Source: AGHT+IEmcMEmbhwX7/flnMKzAdGveTP0Poo5oaCPrKbnGk2j7wZ7N2gcWcpq82wFQtKnOGGiZuTLNJux0ylbZaFSFlk=
X-Received: by 2002:a17:90a:fd95:b0:295:d453:88f4 with SMTP id cx21-20020a17090afd9500b00295d45388f4mr689983pjb.4.1706648308656; Tue, 30 Jan 2024 12:58:28 -0800 (PST)
MIME-Version: 1.0
References: <CAJTd26+hJjKaZZenN3bQuVaifJotVhbpQoYEBLBaN7KiOw2_Qg@mail.gmail.com> <CABcZeBNT=EBMrmOJ1pBpaThs6BcVuajXYt+ziXzEMZU0LKjfjg@mail.gmail.com> <CAL02cgQkOxg6f1U-GwAWTOBDv96yvV1bEFZ=F7ES+Qhs7vDJLA@mail.gmail.com> <CAJTd26L-ROx_T5RaDU9cZscTzOZGM9zGmgwN=_iAtGWw2jgJUA@mail.gmail.com> <CAL02cgR03wgwLFARPPwx1ROCsvPUk0xR83FSudjv0b7aR21yzg@mail.gmail.com> <CAJTd26L_AVPwnm+5-H2nA_x4j2tLZZOKHykBNmvk0PO9oUL4Ww@mail.gmail.com>
In-Reply-To: <CAJTd26L_AVPwnm+5-H2nA_x4j2tLZZOKHykBNmvk0PO9oUL4Ww@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 30 Jan 2024 12:57:51 -0800
Message-ID: <CABcZeBPOGtFu=UXyqV-ftiMYx1rXJYbxRNE+Hfggsws8bZ2zwA@mail.gmail.com>
To: Brendan McMillion <brendanmcmillion@gmail.com>
Cc: Richard Barnes <rlb@ipv.sx>, MLS List <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000031c13f0610300697"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/EqFAq83BtcQqxCdYZ5PYPoWLiig>
Subject: Re: [MLS] Recommendation for encrypted group operations
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 20:58:33 -0000

On Tue, Jan 30, 2024 at 12:41 PM Brendan McMillion <
brendanmcmillion@gmail.com> wrote:

> I appreciate the point about the current text seeming like an RFC 6919
> "should (but won't)" which is why my proposed resolution was to state the
> specific common reason why the recommendation wouldn't be followed. You're
> claiming without evidence that the recommendation should be removed because
> encrypted group operations have a "real cost" that is "clearly
> prohibitive". This sort of thinking becoming common is what I think we
> should try to avoid, and why the recommendation should stay. I'm working on
> such an MLS deployment <https://xmtp.org/roadmap>. The cost is minimal
> and it actually simplifies things quite a bit to assume nothing of the DS.
>

Richard in fact did state evidence in his original message, specifically
that:

1. "Without this optimization, commits impose linear cost in units of data
sent by the committer to new joiners, and with large constants because of
credentials."
2. "there are legitimate reasons to have a server act as a policy
enforcement point as a secondary check on clients (e.g., in cases where
clients might be adversarial to the interests of the policy controller)."

Those certainly seem like "real costs". Do you think either of those
statements is untrue?

Perhaps your argument is with "clearly prohibitive", but the relevant
evidence for that is that when the relevant IETF WG (MIMI) considered this
matter, they concluded that it was impractical to have encrypted group
operations. Of course, MIMI could be wrong about that, but then what you
should be doing is trying to convince them, and perhaps providing text
about why that analysis is incorrect, to go into this document. Absent
that, having a naked recommendation doesn't do anything meaningful to
impact people's behavior and, as I said, mostly makes the IETF look like it
doesn't have a consistent view.

-Ekr




> On Tue, Jan 30, 2024 at 10:51 AM Richard Barnes <rlb@ipv.sx> wrote:
>
>> This brings us back to EKR's point about RFC 6919.  MLS supports those
>> things, but at real cost.  So yes, some applications might choose to take
>> on that cost, but to date, nobody has.  This document should be providing
>> guidance to implementors about how to make good engineering decisions, not
>> exhorting them to do the most confidentiality-preserving thing at all costs.
>>
>> BTW MIMI is making this decision intentionally -- it has already been
>> discussed pretty extensively, and the costs are clearly prohibitive.  The
>> considerations are documented in mailing list posts and minutes, and I'm
>> sure they will make it into the documents.  And nothing we write in this
>> document can compel that WG to do anything anyway, it's an informative
>> document.
>>
>> --RLB
>>
>> On Tue, Jan 30, 2024 at 8:19 AM Brendan McMillion <
>> brendanmcmillion@gmail.com> wrote:
>>
>>> You can workshop the exact text of my email, but the same point still
>>> stands. We could instead say we're discussing applications that "accept
>>> leaking group membership to a central server" and "need to use that central
>>> server to provide certain features". All 3 of these criteria /must/ be met
>>> to justify using unencrypted group operations. However, MLS was
>>> painstakingly designed to make meeting any of these 3 criteria /optional/:
>>> - MLS was designed to be secure without transport encryption
>>> - MLS was designed to be able to support Sealed Sender-type operation
>>> - MLS was designed to work on relatively simple Delivery Services that
>>> are agnostic to the protocol
>>>
>>> Keeping the recommendation to use encrypted group operations is not
>>> passing judgement on applications that use unencrypted group operations. If
>>> mimi (or any other application) is unable to encrypt group operations
>>> despite this being a first-class feature of mls, I would just like them to
>>> make that decision intentionally and document it.
>>>
>>> On Tue, Jan 30, 2024 at 9:48 AM Richard Barnes <rlb@ipv.sx> wrote:
>>>
>>>> My take here is broadly in line with EKR here.  I have a couple of
>>>> problems with Brendan's analysis here:
>>>>
>>>> First: #3 on Brendan's list says "want to" like it's a personal desire,
>>>> but it's actually an important objective engineering consideration:
>>>> Operating MLS is dramatically more efficient in large groups if a server
>>>> caches the tree, to the point where groups of any size are basically
>>>> unworkable without this optimization.  (Without this optimization, commits
>>>> impose linear cost in units of data sent by the committer to new joiners,
>>>> and with large constants because of credentials.)
>>>>
>>>> Second: #2 "don't care about leaking" similarly discounts a legitimate
>>>> engineering trade-off.  It's not that the apps exposing membership to the
>>>> server are just being lackadaisical; there are legitimate reasons to have a
>>>> server act as a policy enforcement point as a secondary check on clients
>>>> (e.g., in cases where clients might be adversarial to the interests of the
>>>> policy controller).
>>>>
>>>> Calling a set of apps that collectively cover billions of users "quite
>>>> a specific subset" is certainly a take, but not one I can agree with.
>>>>
>>>> If I were writing this myself, the outline would be:
>>>> * In principle, encrypting MLS handshake messages provides the highest
>>>> level of confidentiality
>>>> * In practice, this imposes heavy performance costs
>>>> * Here are some guidelines that apps can use to decide where they want
>>>> to land on this trade-off
>>>>
>>>> EKR's PR is quite close to this, so I would propose we workshop that
>>>> text a little and then adopt it.
>>>>
>>>> --Richard
>>>>
>>>>
>>>> On Tue, Jan 30, 2024 at 7:11 AM Eric Rescorla <ekr@rtfm.com> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Tue, Jan 30, 2024 at 8:57 AM Brendan McMillion <
>>>>> brendanmcmillion@gmail.com> wrote:
>>>>>
>>>>>> Hi mls@
>>>>>>
>>>>>> One of the first topics of discussion at our last interim was on
>>>>>> whether or not to keep the recommendation in the architecture draft to use
>>>>>> encrypted group operations whenever possible. This is issue #210 on the
>>>>>> repo [1].
>>>>>>
>>>>>> The desire to remove this recommendation comes from the fact that
>>>>>> many mls deployments and the mimi wg do not follow it. It doesn't seem that
>>>>>> the minutes have been uploaded yet, but my memory of the conversation at
>>>>>> the interim is that:
>>>>>> - We generally agree that encrypted group operations would, in an
>>>>>> ideal world, be preferred. I recall several people saying it's the "moral
>>>>>> thing to do."
>>>>>> - Acknowledging that most deployed applications don't encrypt group
>>>>>> operations. We listed the deployments we knew of to prove this.
>>>>>>
>>>>>> The after-the-fact answer I came up with for why most applications
>>>>>> don't encrypt group operations is that they can 1.) guarantee strong
>>>>>> transport-layer security, 2.) don't care about leaking group membership to
>>>>>> a central server, and 3.) want to use that central server to provide
>>>>>> certain features. Despite being well-represented in the mls wg,
>>>>>> applications that meet criteria 1, 2 and 3 is actually quite a specific
>>>>>> subset within the space of what MLS was designed to support. Any
>>>>>> decentralized application would not meet these criteria (no transport-layer
>>>>>> encryption). Signal doesn't either (doesn't leak membership).
>>>>>>
>>>>>> Given this, my proposal is to keep the recommendation but state that
>>>>>> applications may use unencrypted operations if they have an explicit
>>>>>> reason. I've opened a PR to that effect here:
>>>>>> https://github.com/mlswg/mls-architecture/pull/247
>>>>>>
>>>>>> This is in contrast with a PR from Eric that removes the
>>>>>> recommendation and describes the tradeoffs between encrypted and
>>>>>> unencrypted group operations on relatively equal footing:
>>>>>> https://github.com/mlswg/mls-architecture/pull/246
>>>>>>
>>>>>> Please say on the list if you have a preference between the PRs.
>>>>>> Thank you!
>>>>>>
>>>>>
>>>>> Just to clarify the process here: this is the start of a discussion,
>>>>> not a consensus call, though I suppose the chairs might do a consensus call
>>>>> later if that's necessary.
>>>>>
>>>>> With that said, while I agree that it would be better if people
>>>>> encrypted the group messages, the objective of IETF documents is not to
>>>>> talk about the ideal world but to actually document protocol specifications
>>>>> for people to implement.
>>>>>
>>>>> Here in the IETF, we are specifying precisely one such protocol that
>>>>> uses MLS, which is to say MIMI, and as Brendan notes, that protocol uses
>>>>> unencrypted group operations. Text like what appears in PR #246 that
>>>>> suggests that people ought not to do what we in IETF are in fact doing
>>>>> serves mostly to confuse people and make us look uncoordinated [0].
>>>>>
>>>>> -Ekr
>>>>>
>>>>> [0] See also RFC 6919 "MUST (BUT WE KNOW YOU WON'T)" and  "OUGHT TO".
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> 1. https://github.com/mlswg/mls-architecture/issues/210
>>>>>> _______________________________________________
>>>>>> MLS mailing list
>>>>>> MLS@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/mls
>>>>>>
>>>>> _______________________________________________
>>>>> MLS mailing list
>>>>> MLS@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/mls
>>>>>
>>>>

v2.23.0 | Report a Bug | By Email