IETF Logo Mail Archive

[MLS] Stupidest possible message protection

Richard Barnes <rlb@ipv.sx> Sun, 02 December 2018 22:25 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08129124D68 for <mls@ietfa.amsl.com>; Sun, 2 Dec 2018 14:25:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.358
X-Spam-Level:
X-Spam-Status: No, score=-3.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mm_No1Dq_Gew for <mls@ietfa.amsl.com>; Sun, 2 Dec 2018 14:25:00 -0800 (PST)
Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99B82130DC8 for <mls@ietf.org>; Sun, 2 Dec 2018 14:25:00 -0800 (PST)
Received: by mail-oi1-x22b.google.com with SMTP id y23so9290194oia.4 for <mls@ietf.org>; Sun, 02 Dec 2018 14:25:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=/Ex0lzc2ZWfzM+LhwVhR3/QBN84S9ZJ/Zw/yxor059g=; b=HwT1dp6HuX153aRzWPw8Qk3XE9Hz2G/0pBC2N7mVdvJNGsou/eIeygnx9godoTu3zo fhXIWbOpjhGxM/unvhDW3EWdcXsnRdrZl28pyYukMAOz19nmuAzZynxePx5gnNXH7iRp hhIA9M9i68C3eJyor3vqkK/MZSsX0GfU/KANrozSU+iI4LY9UY0jo+oY+SYaTFL79hyQ Xqa8PuGvDflDaj7rfk5goGfxIlYJvXMEQJlC9c1IOi5rCGutcDfj8flSoOA4UBpURMao yzs4oqWxYNiNdr7jTuhYdPhPACcGQKa2Hf/5C9mUXpEkaMg/paKhKJLHSZ4+qB991zoO QflA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=/Ex0lzc2ZWfzM+LhwVhR3/QBN84S9ZJ/Zw/yxor059g=; b=b+EtcMzq6nJyT/+WZ5VvYAyvAMnCYrfT87No2zXcmb8bnw9jtpHwS0F0zdkAHVj8dW R1+oyWxWHIOgVaPgQH5V3C/bpUQTQzOCAvKsEzPT8eAxFg/SYqgpLAz72ReAJK6Sqb6T CNlF6au+Pcx3TG71q3rAhtfjiU4wsvEoXq/qJkvRd7VpvWKa2puqo/R7QS8aEQ//bxuT YYhfEaLdGYm3Quzn3p/dvUPNZtNhhgVY0zfL41D0IJVTS9JqYVl00mi+ua38Hn1Dakzl hMF5PkVvMdmwYfUCvsSv42zYPOWYHWEiD+nUffaiyCxglNuCaI5BDcIXXWGe2attBbs+ 5TPA==
X-Gm-Message-State: AA+aEWZJ0NRPTvzgSbjiypuqnRdoEeNvLDWcdF3BGOznY9tZEV5PWN7o 7bYw9SLL9ij3eB8KW6EXiNpGGkiECBikHaj2Y/PkOsQrVGU=
X-Google-Smtp-Source: AFSGD/XaHbytR4aiY8+8+9IwlQUuBrlsAqSG+K+32b8myXAR7tciMtpE0LnyNKRHOABnQ0LkWvwjGURGEOKWH7arCeU=
X-Received: by 2002:aca:e242:: with SMTP id z63mr8078659oig.51.1543789499724; Sun, 02 Dec 2018 14:24:59 -0800 (PST)
MIME-Version: 1.0
From: Richard Barnes <rlb@ipv.sx>
Date: Sun, 02 Dec 2018 17:24:42 -0500
Message-ID: <CAL02cgTjD==YgS848sBWEGrBBkNMAtbUXJuV6RrDmak_+Mu6fw@mail.gmail.com>
To: mls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bd4cf6057c1180fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/TQOaDac8Yly1ZNogjK97PRZJgIg>
Subject: [MLS] Stupidest possible message protection
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Dec 2018 22:25:02 -0000

Hey all,

As we discussed in Bangkok, there are trade-offs between encrypting
handshake messages and enabling the delivery service to assist with
scaling.

One way to try to split this baby would be to try to evaluate what
information the server needs in order to provide its assistance, and leave
that unencrypted.  This solution would of course require that we convince
ourselves that the unencrypted bits are actually not sensitive, and would
entail a fair bit of complexity in the encryption system.

Another, simpler, approach we could take is to punt the decision to the
application.  We would define in the document two options:

1. Send Handshake messages in the clear
2. Send Handshake messages encrypted as Application messages

(And specify details like how you do Welcome+Add, how you disambiguate
Handshake from other Application messages.)  But we would not specify which
of those paths a given application would do.

What do folks think about that idea?  Personally, I find it kind of
appealing in its simplicity, though I acknowledge it adds another variable
for interop testing / interop failure.  And if you want to make an MLS API,
it's another switch to support.

Cheers,
--RIchard

v2.35.0 | Report a Bug | By Email | System Status