Re: [MLS] Functional Definition of End-to-End Secure Messaging

Sofía Celi <cherenkov@riseup.net> Sun, 09 May 2021 23:41 UTC

Return-Path: <cherenkov@riseup.net>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6E703A24E2 for <mls@ietfa.amsl.com>; Sun, 9 May 2021 16:41:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=riseup.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXwGri4bLUN9 for <mls@ietfa.amsl.com>; Sun, 9 May 2021 16:41:34 -0700 (PDT)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB5B33A24DF for <mls@ietf.org>; Sun, 9 May 2021 16:41:33 -0700 (PDT)
Received: from fews2.riseup.net (fews2-pn.riseup.net [10.0.1.84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4Fdggc56C5zDv3q for <mls@ietf.org>; Sun, 9 May 2021 16:41:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1620603692; bh=JzCPT/7SKTQ1JgAk20KtnaKSxLvLwKja95WoAQHVMoo=; h=To:References:From:Subject:Date:In-Reply-To:From; b=s4Dn/IL4mzktU0BOM+7RMNSi4cU9m0ibZ5IEz60ZXpvyfRxvZL/77h+fumd1R9yla b8RFRrUgwD4ZQLxhyZVINzi01iMPJSE/ofMkhWwCS3BBYXYlw1RyoqHRKAJVC2Z3wQ OzoX3yuiSwpIG/QbXpbiNKYUPTQaaCiYxztGliiw=
X-Riseup-User-ID: 5B7603CEFD6745DA0EDFAE78D23F7BC246ECEFC001B3F36600FDD7EA90637E1C
Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews2.riseup.net (Postfix) with ESMTPSA id 4Fdggc1QD2z1xph for <mls@ietf.org>; Sun, 9 May 2021 16:41:31 -0700 (PDT)
To: mls@ietf.org
References: <CAFWeb9LwdSecpQdM1zvTAht+DvnYf3NCD4tcte1ZcH-pjHFRnA@mail.gmail.com> <B0A56CC0-7C7C-4343-886A-020D4CCD7BCD@raphaelrobert.com> <CAFWeb9Kb4FwzkT0Bj7jhTxnW+i3qTQanu=JRc73=WDK+NR2Jmw@mail.gmail.com> <E418B2DA-D0E3-473A-A8A1-3248766A90DF@raphaelrobert.com> <CAFWeb9LgU+eC0FVndeY-6Kf=NNUf4Lmdhuy2nKXwyK9gDE8UHg@mail.gmail.com> <C64A0465-28E7-4FFE-834A-B1EB50343574@raphaelrobert.com>
From: =?UTF-8?Q?Sof=c3=ada_Celi?= <cherenkov@riseup.net>
Message-ID: <937f9db9-d0e2-390e-0ef8-8dfa73e993b0@riseup.net>
Date: Mon, 10 May 2021 00:41:30 +0100
MIME-Version: 1.0
In-Reply-To: <C64A0465-28E7-4FFE-834A-B1EB50343574@raphaelrobert.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/PsWKLoiP9rreIyWB_oPJ0YBd7Fc>
Subject: Re: [MLS] Functional Definition of End-to-End Secure Messaging
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 May 2021 23:41:39 -0000

Dear, Raphael,

Thank you so much you all for this very interesting thread.

> Regarding the definition of an “end”, draft-knodel-e2ee-definition-01
> has section 2.1, 4.3 & 4.5. Your draft has section 4.1 & 5. In my mind
> both drafts could be a bit more assertive here. I like that you
> introduce different types of participants. I think that point is
> particularly important, because if the participants are not just “humans
> with a messenger app”, it begs the question who has control over the
> messages that were received by that participant. Other humans who are
> not part of the “conversation”? Future participants of the
> “conversation”? A machine that will scan the message content and act on
> it? In the end this defines what “confidentiality” really means, besides
> the academic definition.

These are really interesting points. I see four points:

* Future or past recipients of a conversation: it could be that a
conversation is read prior to the intended recipient, or after the
intended recipient. This is somewhat not cover in every day
applications, as someone else can get access to a device and read the
messages intended for a recipient. In those terms, I think this is
described as 'secure' for the network (and the intended recipient is the
device, then); but if a device is compromised, then the contents could
be potentially read by someone else. A point to include here then is the
idea of 'disappearing messages', as a property for trying to avoid this.
But if a message is read and disappeared prior to the actual "recipient"
reading it, then the purpose is also lost. It could also be that someone
asks you to show the contents of a conversation, as it has happened to
many while crossing borders or an abusers that controls the devices in a
case of domestic violence.
* Messages read by something that is not a "human": this could be a bot
that is part of a conversation (but should it be?, if so, it should be
disclosed to the sender-s-, and potentially properly "authenticated") or
malware in the device itself.
* Messages read by a backdoor or vulnerability: I think that if an
application has a backdoor (with the whole purpose of having it there to
read the contents) then it is not end-to-end encrypted. If someone or
something is added to the conversation, then it should be authenticated
and disclosed.
* Multiple devices: this could be better explained by stating that the
intended recipients could be multiple devices (these all have to be
authenticated to the conversation).

I really like all of these points (for taking them into account).
@Mallory, I can add some ideas around this to our draft and we can
discuss all further ;)

Thank you,

-- 
Sofía Celi
@claucece
http://claucece.github.io/
Cryptographic research and implementation at many places, but mainly at
Cloudflare
FAB9 3EDC 7CDD 1198 DCFD  4558 91BB 6B45 6F44 2D02