Re: [MLS] Artart early review of draft-ietf-mls-architecture-09
Richard Barnes <rlb@ipv.sx> Wed, 28 September 2022 20:17 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC7E9C15DD69 for <mls@ietfa.amsl.com>; Wed, 28 Sep 2022 13:17:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IF6JM2IQF_io for <mls@ietfa.amsl.com>; Wed, 28 Sep 2022 13:17:18 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89039C15A722 for <mls@ietf.org>; Wed, 28 Sep 2022 13:17:18 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id g20so15555880ljg.7 for <mls@ietf.org>; Wed, 28 Sep 2022 13:17:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=peAk9ORVBq3MHIH7eCuVRvu+TRK2R+8u9xpMZF8RiZA=; b=RXiuCHKnvsGGIrqjvAn7b53C19y9gJx0jf9ADA0VlqOrEc367KrlI5K9qvbirpVU/V lHlQ4dtIyvgZfar3xThDlmGHsU24oBPF05l+D+jU3PkCpJGMl5/0Hb2RSNnDEhEPmgvQ CDc6E8ikLoFq69n3CNwii7prm4hFFfdSyzt6e/vaBFrYxjdFmov6xUU8YeXBumnCu/9D VrZSG+csag/QwptRojl/2RAwmnifoQq7Y0Q4G8z6uIS5pl5USAIM5h3Ya2fvTckdubte bp4GQUagitodjEXn87D9exo/WEtrrFQZL6dpztxjDa0f3K2mZmPUrxYbuCv7gOlusWP1 Zocg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=peAk9ORVBq3MHIH7eCuVRvu+TRK2R+8u9xpMZF8RiZA=; b=tMYDKDnT2FU9idASrYxBfGYz6CdEVZsLffKTzf5rJ2u3YAY34+8Lu6JoAXsEaWQUBF EvRRvGB98KXjJa+IjbMYGKKmc9VvvFiRw3FODUzu2sYY5R9P5bP09uQN2YyFAcNY1U2m Jll2rd+bFjc2ycYGkBxAbFNjC0I7m/9y6hUPI5lnJ9WW3QoDiLgYO/zhHFU2Xt9aE/IR GMGv9+hcIUrUPnfycDnMBzUvB6kWcn01Nl1T+Yt5p2RSe7PeIdZwE/8M0YsWvlNp9HQD IiueNiZLHuevymaI/iCQhzr8hUK9JA1OFQ9wKgzLseEqRK+kXSlBd0kVAPK2cCLl35PB 1zkw==
X-Gm-Message-State: ACrzQf2DosxYFRyOQIyciWaV8Obk7qSSq7XJGnJQTkLQFVXO/ZK87oRs wc/AmoPykUrXDEgA0aSCtLAeNFIsCO41Mw3l1aG1rQ==
X-Google-Smtp-Source: AMsMyM7qPJRyu2DizLVvDbaNsiZurM/dspe0liCgrkN6xjvxKsghCGZJugkhySJafASQ92WmHdbho4ddKGdWvmOv/3Q=
X-Received: by 2002:a2e:a54c:0:b0:26c:50c6:75c1 with SMTP id e12-20020a2ea54c000000b0026c50c675c1mr12623204ljn.408.1664396236277; Wed, 28 Sep 2022 13:17:16 -0700 (PDT)
MIME-Version: 1.0
References: <166435475290.31147.15265580440001096239@ietfa.amsl.com> <CAL02cgTfFUe_f3+E-W_AQDJSCNDRGgFJHu-5Q--aRg2QJi08NQ@mail.gmail.com> <008601d8d372$7f934500$7eb9cf00$@gmail.com>
In-Reply-To: <008601d8d372$7f934500$7eb9cf00$@gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 28 Sep 2022 16:17:05 -0400
Message-ID: <CAL02cgR0GSDa1drz6Zc7fYQBF_DjJzeKxAY0acdHbtit9awFNA@mail.gmail.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: Valery Smyslov <valery@smyslov.net>, art@ietf.org, draft-ietf-mls-architecture.all@ietf.org, mls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006de86105e9c27221"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/Mp7BZ5veRKG1WX87N2KehcDD0dI>
Subject: Re: [MLS] Artart early review of draft-ietf-mls-architecture-09
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2022 20:17:20 -0000
Just to recap your scenario: Suppose we have a group where: * All members support versions (A, B) and ciphersuites (X, Y) [where A < B and X < Y for some definition of "<"] * The group uses version A and ciphersuite B In that case, MLS would allow any client to join (including external join) that supports version A and ciphersuite B -- what the members support doesn't matter, only that the joiner supports the group's parameters. That said, MLS provides verified information about version/ciphersuite support to all members, and the joiner's information is visible in an external join. So for example, an application might implement policies that enforce a minimum version / ciphersuite on new joins by having a server reject KeyPackages or external joins that use the versions/ciphersuites that are too old. Likewise, group members could refuse to add a new member (remove an external joiner) that doesn't meet their requirements. --Richard On Wed, Sep 28, 2022 at 3:42 PM Valery Smyslov <smyslov.ietf@gmail.com> wrote: > Hi Richard, > > > > thank you for the explanations. One clarifying question (with trimming all > the rest): > > > > Hi Valery, > > > > Thanks for the review. A couple of comments inline (with some trimming)... > > > > 1. Section 5.10 describes the compatibility with future Versions of MLS. > In > particular it states: > > When multiple versions of MLS > are available, the negotiation protocol guarantees that the version > agreed upon will be the highest version supported in common by the > group. > > and > > In MLS 1.0, the creator of the group is responsible for selecting the > best ciphersuite supported across clients. > > I think this is problematic for the clients that join group later. > Consider the > situation when a newer version of the protocol is available and some > clients > are upgraded, but most are not yet. If the upgraded clients (that support > both > versions) form a new group, then they select the highest version of the > protocol. After that no other clients, that are not yet upgraded (which > still > form majority), can join this group. The same situation is with > ciphersuites > (and it is unclear what is "the best ciphersuite", how to compare them). > > I think there must be an option for the group in situation when all the > members > support several protocol versions (or several ciphersuites) to change the > version (or ciphersite) on the fly (if this is ever possible and doesn't > lead > to the degradation of security) if incoming clients don't support the > currently > selected ones. This should also include "external joins", probably the > published information about the group should be constructed in such a way > that > clients having different capabilities may read it. > > I understand that this would complicate the protocol, but otherwise its > usability would suffer. > > > > I think the mechanics you're looking for are already in the protocol. The > Capabilities element of the LeafNode describes the supported versions and > ciphersuites for each member of the group, so you can always tell whether > the version/ciphersuite in use is the best one possible. At the beginning > of the group, this functions as downgrade protection; as the group ages and > clients update to support new things, it can highlight opportunities for > upgrade. (Upgrade being done with the ReInit mechanism in the protocol.) > All members of the group are aware of these signals and protected from any > intermediary tampering with them. > > > > The latter point is the important one: The protection against downgrade > here is against *intermediaries*, not group members. The notion of "best" > is up to the application (just as for say TLS servers), thus so is the > selection of ciphersuites among those available and the timing of upgrades. > > > > In other words, the protocol has already done all it can do. > > > > Do I get you right that the following scenarios are already > supported by the protocol? > > > > Some set of clients that all support version x and version y > (where y > x) form a new group > > using version y. Let this group policy allows "external joins". > My question - can a new client > > that support only version x join this group later using the > external join mechanism? > > The same question with ciphersuites - if all clients in the > group support > > ciphersuites X and Y and selected X as "the best" at the time > the group is formed, then > > can a client that only support ciphersuite Y join this group > later using > > "external join"? Note, that in both cases there is some kind of > downgrade... > > > > If these scenarios are supported by the protocol, then my > concerns were extraneous. > > However, it would be great if they are outlined in details in > the document. > > > > Regards, > > Valery. > > > > >
- [MLS] Artart early review of draft-ietf-mls-archi… Valery Smyslov via Datatracker
- Re: [MLS] Artart early review of draft-ietf-mls-a… Richard Barnes
- Re: [MLS] Artart early review of draft-ietf-mls-a… Valery Smyslov
- Re: [MLS] Artart early review of draft-ietf-mls-a… Richard Barnes
- Re: [MLS] Artart early review of draft-ietf-mls-a… Valery Smyslov