Re: [MLS] MLS Virtual Clients (subgroups/user-groups) and Paired MLS
Brendan McMillion <brendanmcmillion@gmail.com> Sat, 09 March 2024 22:06 UTC
Return-Path: <brendanmcmillion@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 036F1C14F6BA for <mls@ietfa.amsl.com>; Sat, 9 Mar 2024 14:06:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MqapJ0ka_sMr for <mls@ietfa.amsl.com>; Sat, 9 Mar 2024 14:06:19 -0800 (PST)
Received: from mail-ot1-x336.google.com (mail-ot1-x336.google.com [IPv6:2607:f8b0:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D11F2C14F614 for <mls@ietf.org>; Sat, 9 Mar 2024 14:06:19 -0800 (PST)
Received: by mail-ot1-x336.google.com with SMTP id 46e09a7af769-6e519d73850so1030339a34.2 for <mls@ietf.org>; Sat, 09 Mar 2024 14:06:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710021978; x=1710626778; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=hVdIeQh0SmOM0NYimTtAyrQMss5k1TBurdXbzMCgJg0=; b=GdGpIjxVhcoRuvR/Qdaz7+6P+ZvefHXxXneqp92gN5/+Tqwp5yo1cKHq+9R9UoJGfZ un2KSRscwSi4tKXND86b62+BZn48B9OkUnFXCbWqWbmlOu1pnMcTSz1tOnXe/hDEsG2/ 4hfLUPACNHohHQDqLAwn0hqOislmAh340iIXxS748l7ZNlQmlwoWoeWcciZv/L6fwkEe RoqsRmcSiliVFTXKD+m8HjUqB2BKPLAUeWhpYuYuU/rNdjIAo5iIU8+V5YqU9xtaJ47Y IMp8mN5ENQ08nccIaW05iMZ9CbwZgV7AHUrgx8o/HeYhmBZscgxixBdH5/1K/HOMrhYN M1KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710021978; x=1710626778; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hVdIeQh0SmOM0NYimTtAyrQMss5k1TBurdXbzMCgJg0=; b=xKYKYuSIdiYnAOsNKD9dmpqrWqxTLgIbzaQUJrsbiVxorwVhtn4cVC0+LYRuOtNkrM YJ1NYmG1MHQG3cxrpP3k+OjpY5TbYSAw49bvW2uAvhApzhjqZvdOFjRz2nTJaflXxdZf yJ38RR2WzIRcrEj2di2b2/gNSSb5EHrQoK0au/d1Qew3UbDrd5mAXqJ1cE+ZuzhlUZDE J38j3KaTgyxyEbrwBQt6ec2yvvbmaimstEEV7/IPvqFEXIHbCDPrKEk3d3wPVEvHXWH8 LhXRrbOzoBbTNacNQJLeX6DNTLcoZ0LK29yVefamSItuBYcORjNnBfOc7npFvhSE/+wy IAUA==
X-Gm-Message-State: AOJu0YwcvX3lPSqnAFzj0iSj8jiF5GIC13uiYw1w9HDd0OcB/bTaUHyX lptksL7xia2NGEe0tr+duO/SqpkKSEfJ+gwJ17ekyiED/PjWV+eccznNJM/zosUBNxf5BwTtHDS OBhV+9HdCeW1X79xJZwtIXVDhsRpF3dAKRmD5vA==
X-Google-Smtp-Source: AGHT+IGHIglpvxNzvrIGKgm+ce1/Oj6TbunUi6MpQkSa76shEsShUACa7t57tP52yofXrvkAJaNfiG4zWVyVfLUixyo=
X-Received: by 2002:a9d:774e:0:b0:6e4:e483:863f with SMTP id t14-20020a9d774e000000b006e4e483863fmr2698482otl.23.1710021978355; Sat, 09 Mar 2024 14:06:18 -0800 (PST)
MIME-Version: 1.0
References: <202FE455-2AE2-46B9-8A14-5BCDA0F30482@datashrine.de>
In-Reply-To: <202FE455-2AE2-46B9-8A14-5BCDA0F30482@datashrine.de>
From: Brendan McMillion <brendanmcmillion@gmail.com>
Date: Sat, 09 Mar 2024 14:06:07 -0800
Message-ID: <CAJTd26LU_nXCgkTmOeN4ZzetEefVX6ErCnkfchwbZVHtfGzXvA@mail.gmail.com>
To: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
Cc: MLS List <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000093fe5606134184bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/KaN4JdjdxWmvdjVat45N5gLWYgk>
Subject: Re: [MLS] MLS Virtual Clients (subgroups/user-groups) and Paired MLS
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Mar 2024 22:06:24 -0000
Hi Konrad Thank you for sharing these! I read the Virtual Clients draft and had some thoughts: # 4.1. External remove proposals I'm confused about this section. If we had an external proposal to remove an inactive device in a subgroup, then another device in the subgroup could commit that proposal. If none of the devices in the subgroup came online for such a long time that it impaired the security of the supergroup, then we should simply send an external remove proposal in the supergroup. We can't allow a situation where a member of a subgroup is offline for a long time, or compromised, and this doesn't percolate up to the supergroup. Generally I think this point about aligning the security properties of the subgroup and supergroup is under-considered. # 4.2. External joins This subsection is quite short and brushes over one of the really important problems the draft needs to solve: how do we add a new device to a subgroup? If another device is online, how specifically can secret state be shared? If there are no other devices online, what specifically does the lone device need to do? # 5. Client Emulation "An emulator client E in G creates a new virtual client V of G by assigning the V a fresh virtual client ID" -- The mathematical style of notation is quite dense and would benefit from being rewritten in plain language. This section also mentions that each virtual client has its own signature key pair. The "ephemeral" issuance of signature key pairs is going to be incompatible with many AS designs. This section also briefly mentions that secrets used in the supergroup are derived deterministically from exporter secrets from the subgroup. It's not clear to me from the draft how the epoch that the exporter secret came from is ever communicated. # 5.2. DS/AS Details We should require here that the DS and AS provide anonymity as to which device in a subgroup is sending a message. # 5.5. Challenge-based application message encryption This whole system seems wrong and unnecessary to me. Virtual Clients would ideally not require any changes to the MLS wire format. When sending application messages, there is the *functional* problem of preventing multiple messages from being encrypted with the same key (functional, because it may cause messages to become unreadable if the encryption key is deleted). I think we could largely ignore this and assume that devices will be able to coordinate through the DS. Then there is the *security* problem of preventing nonce reuse. The MLS protocol already has a "reuse_guard" for this purpose, and we could simply compute reuse_guard = PRP(unique identifier || random data) to ensure that no two devices in a subgroup will choose the same reuse guard. On Thu, Dec 14, 2023 at 8:30 AM Konrad Kohbrok <konrad.kohbrok@datashrine.de> wrote: > Hi everyone, > > Today two drafts have been published that relate to two individual topics > that we have discussed over the past interims: Subgroups (also called > user-groups) and MLS pairing (also called guardianship). > > The virtual clients (or subgroups) draft ( > https://datatracker.ietf.org/doc/draft-kohbrok-mls-virtual-clients/) > describes how multiple clients can collaborate in emulating a virtual > client by forming a subgroup underneath a leaf in one or more MLS groups. > This can be used, for example, to allow a user’s devices to share > membership in one or more groups, or generally to model any hierarchical > structure using MLS groups. While this introduces some complexity, it also > brings performance benefits, as trees generally shrink and updates in a > subgroup can be re-used across multiple higher-level groups. > > The Paired MLS draft ( > https://datatracker.ietf.org/doc/html/draft-fondevik-mls-pairedmls) > allows two MLS clients to pair up, following the protocol described here: > https://eprint.iacr.org/2023/1761. Paired-up devices share a randomness > source, thus allowing one client to issue PCS updates for the other. This > allows a client with more resources to take load off of another, weaker > client. This is achieved by the two clients sharing an “anchor”, i.e. a > single leaf in one or more MLS groups. > > As you may have noticed, the “anchor” concept in Paired MLS is > conceptually the same as that of subgroups, which is why we wanted to > jointly announce them to the WG. > > We are confident that both documents are of interest to the WG and are > looking forward to feedback and discussions on the list and in the next > interims. > > Both documents are still works in progress. In particular, we’re still in > the process of lining up terminology, but we’re confident that they are > mature enough to open up the discussion. > > Cheers, > > Konrad > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] MLS Virtual Clients (subgroups/user-groups)… Konrad Kohbrok
- Re: [MLS] MLS Virtual Clients (subgroups/user-gro… Brendan McMillion
- Re: [MLS] MLS Virtual Clients (subgroups/user-gro… Konrad Kohbrok
- Re: [MLS] MLS Virtual Clients (subgroups/user-gro… Konrad Kohbrok