Re: [MLS] Turning mandatory extensions into fields

Konrad Kohbrok <konrad.kohbrok@datashrine.de> Mon, 21 June 2021 11:57 UTC

Return-Path: <konrad.kohbrok@datashrine.de>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8633A09EC for <mls@ietfa.amsl.com>; Mon, 21 Jun 2021 04:57:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.005
X-Spam-Level:
X-Spam-Status: No, score=0.005 tagged_above=-999 required=5 tests=[RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 44XPUzW_m8Ln for <mls@ietfa.amsl.com>; Mon, 21 Jun 2021 04:57:07 -0700 (PDT)
Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org [80.241.56.171]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC80F3A09EB for <mls@ietf.org>; Mon, 21 Jun 2021 04:57:06 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4G7p0v2p62zQk2b; Mon, 21 Jun 2021 13:57:03 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter06.heinlein-hosting.de (spamfilter06.heinlein-hosting.de [80.241.56.125]) (amavisd-new, port 10030) with ESMTP id Q6KC9Is9Eoof; Mon, 21 Jun 2021 13:56:57 +0200 (CEST)
Date: Mon, 21 Jun 2021 13:56:56 +0200 (CEST)
From: Konrad Kohbrok <konrad.kohbrok@datashrine.de>
To: =?UTF-8?Q?Th=C3=A9ophile_Wallez?= <theophile.wallez@inria.fr>, Raphael Robert <ietf@raphaelrobert.com>
Cc: mls@ietf.org
Message-ID: <1913706681.187825.1624276616584@office.mailbox.org>
In-Reply-To: <073ddbb9-df13-10e1-c151-bbb52617dfaa@inria.fr>
References: <4C0AD1D0-B644-43C9-A4DD-3635DD1F4DF5@inria.fr> <CA46F1F3-DA2D-4CCA-AAF2-7A2F126505CA@raphaelrobert.com> <073ddbb9-df13-10e1-c151-bbb52617dfaa@inria.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
Importance: Normal
X-MBO-SPAM-Probability:
X-Rspamd-Score: -4.83 / 15.00 / 15.00
X-Rspamd-Queue-Id: 00F911860
X-Rspamd-UID: 175ddd
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/QJd3r3cxRRmYLxMQ8765QdfHqPM>
Subject: Re: [MLS] Turning mandatory extensions into fields
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jun 2021 11:57:11 -0000

Hi Théophile,

thanks for bringing this up!

I believe splitting the two structures would be a good idea. It would also allow us to have a second private/public keypair in the init key struct for better FS as suggested in the past by Joël.

That being said, I believe we need the lifetime field/extension in both structs, as init key structs should also have an expiration date. If anything, the lifetime extension could be omitted in the leaf struct, as I'm not sure what the consequence would be if a leaf key package expired in an active group. (Would other group members still encrypt to the leaf key? Would they reject messages from that member that are not updates? This would have to be defined in the spec. Or is it already?)

Cheers,
Konrad

> Théophile Wallez <theophile.wallez@inria.fr> hat am 21.06.2021 13:04 geschrieben:
> 
>  
> Hi and sorry for the late answer,
> 
> Is there any good reason to merge the two structures (init keys and leaf 
> content) other than the overlap they have?
> The overlap seems quite small to me (e.g. compared to the "Message 
> Framing" section), it looks like it is only an HPKEPublicKey, a 
> Credential and a signature.
> The non-overlap seems quite big to me, for example:
> - ProtocolVersion, CipherSuite only belong to init keys
> - parent hash, lifetime only belong to leaf content
> 
> I think it would be a good idea to split the two structures again, I 
> believe this would simplify the implementations by making parent hash 
> easily accessible, and by removing unused values of the leaf content 
> (what should we do with ProtocolVersion and CipherSuite, should we check 
> that it is consistent with the group state? should we ignore them?)
> 
> Thank you for your comments,
> 
> Théophile.
> 
> On 22/05/2021 12:20, Raphael Robert wrote:
> > Hi Théophile,
> >
> > The current scheme was introduced a while ago when we merged the the KeyPackages that clients publish ahead of time (previously called init keys) with the KeyPackages that clients use in their leaf nodes.
> > The reason was that there was quite some overlap between the two structs and the logical consequence was that data that differs for the two use cases was expressed as extensions.
> >
> > I’d be open to discussing disambiguating this again and I think I’m not the only one. This would also pave the way for Joël’s proposal to have an additional public key in the init keys in order to improve FS for members who don’t update quickly.
> >
> > Thanks
> >
> > Raphael
> >
> >> On 21. May 2021, at 23:03, Théophile Wallez <theophile.wallez@inria.fr> wrote:
> >>
> >> Hello All,
> >>
> >> The MLS spec includes some extensions that are mandatory.
> >> Considering that this is v1 of the spec, why not just make these into fields and take them out of extensions?
> >>
> >> In particular, in the current draft, the parent hash is only an extension, but it is mandatory when the leaf is generating an UpdatePath.
> >> Let us make it a field in KeyPackage?
> >> Having it as an extension hides its importance for security, and makes the draft confusing to read.
> >> Also, it is a bit weird that parent_hash is a field in ParentNode, and it is an extension in KeyPackage.
> >>
> >> We propose the following changes:
> >>
> >>> New structure:
> >>> struct {
> >>> opaque parent_hash_value<0..255>;
> >>> } ParentHash;
> >>>
> >>> New field in KeyPackage:
> >>> optional<ParentHash> parent_hash;
> >>>
> >>> This optional field must be present in the `leaf_key_package` of an UpdatePath (same constraints as the current extension).
> >> Or:
> >>
> >>> New field in KeyPackage:
> >>> opaque parent_hash<0..255>;
> >>>
> >>> `parent_hash` must be non-empty in the `leaf_key_package` of an UpdatePath (same constraints as the current extension).
> >> Best regards,
> >> Théophile, Benjamin, and Karthik_______________________________________________
> >> MLS mailing list
> >> MLS@ietf.org
> >> https://www.ietf.org/mailman/listinfo/mls
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls