[MLS] PSK Injection, Group recovery, Re-Init, Sub-group Branching (#336)

[Richard Barnes <rlb@ipv.sx>]

Hey all,

Sorry for the late review on this PR, I have finally gotten a chance to
really dig into it, and ... I have some concerns.  My current thinking is
consistent with my earlier comments that the general thrust of this PR is
OK.  But I think the actual approach needs to change a fair bit.

As its title implies, this PR is trying to do several things at once, which
seem to me to be fairly separable:

0. Update the key schedule so that PSKs are injected at the right point and
multiple PSKs are supported
1. Signal that a PSK should get injected into a given epoch
2. Request injection of PSK at join / in Welcome
3. Re-initialize the group with different parameters
4. Re-sync group members that have lost state

For the most part, I think these are worthwhile goals, but they should be
accomplished in different ways than the PR proposes.  Detailed thoughts by
objective:


# 0. Update the key schedule so that PSKs are injected at the right point
and multiple PSKs are supported

This part of the PR is fine, but I think is ultimately done a bit more
elegantly with the n-PRF stuff in #337.


# 1. Signal that a PSK should get injected into a given epoch
# 2. Request injection of PSK at join / in Welcome

(These go together)

The PR proposes (heh) an EPSK proposal or an Add proposal, but then
requires that only one EPSK be used.  I actually don't the proposal for
including PSKs in Adds actually works.  The joiner would have to know all
of them plus the EPSK, and there's not even any syntax in the PR to tell
the joiner which ones to include.

I would propose that instead we add an extensions field to the Commit
message, then add a Commit extension that specifies the PSK ID for the PSK
to be added.  That extension can then also go in the Welcome message
corresponding to the commit, so that joiners know to add the PSK.

This change actually doesn't make a difference in terms of what ends up in
the transcript -- either way, only the PSK ID selected by the committer
goes in the transcript.  It seems better not to deliberately have proposals
floating around that never get included in the transcript.


# 3. Re-initialize the group with different parameters

The PR proposes another proposal type for reinitialization, but it's really
under-specified what you do to re-init.  For example, what goes in the
ratchet tree?  Clearly you need a brand new tree, since the one you have
might be tied to the wrong ciphersuite.  What you really need is something
like a Welcome message.

And that's how I think we should actually arrange things.  Instead of
having the parent group do something to spawn, have the initiator of the
child send a Welcome that has a pointer back to the parent.  So we have
another Welcome extension (`parent_group`, say) that has a pointer to the
parent group by group ID and epoch, and instructs the joiner to take a
secret from that group/epoch's key schedule and add it into the new group's
key schedule.



# 4. Re-sync group members that have lost state

We should not do these.  At the January interim, we decided not to drop the
resync issue (#93) given that there were some subtleties depending on
exactly what state had been lost, and that it could be cleanly done in a
separate spec.


# Conclusions

Given the above, I would propose we break this into separate issues to be
closed with individual, smaller PRs.  Assuming that (0) will get addressed
by the n-PRF PR, that leaves us with:

#XXX Add Extensions to the Commit message
#XXX Signal use of external PSKs in Commit/Welcome (=> extension to
Commit/Welcome messages)
#XXX Allow Welcome to signal the inclusion of information from a prior
group (=> Welcome extension)

Happy to write those up, and contribute to PRs.  Sorry again for the slow
progress here.

--Richard