Re: [MLS] More clarity around validating proposals
Richard Barnes <rlb@ipv.sx> Sat, 14 May 2022 02:03 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28107C1D34EB for <mls@ietfa.amsl.com>; Fri, 13 May 2022 19:03:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ghTOGqjIOfP for <mls@ietfa.amsl.com>; Fri, 13 May 2022 19:03:23 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B725C20D676 for <mls@ietf.org>; Fri, 13 May 2022 19:02:46 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id y3so8524470qtn.8 for <mls@ietf.org>; Fri, 13 May 2022 19:02:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m4p/pAIDxoyiT/P5bF/PpluPStnlrrbo8cBdcXkS7Js=; b=Qwvz4OF1glVz5v4CmhZOIXw6Q1RxoxvwXR7snlXjI4W5Qg9lMjDA8w0rFWyo+z+Y99 boUov7Btm/spIZoy1/vvdLH2D82/wztqxQ7PWxlfptei/eN+9Y6fSfdI1eL9pJ2DnKyP wgd8s/0j8JtZ//yaZcqjaxnRLg9aa9yLEp0rQRnqXfB3O7gmvXhuyyXl4JEzq5Db8Jwj eKee2Ba02sh/COMehrzY6xHiAdsrWQLzv47ug8l6chzVwGb1fkHAnAqfpDA+6yYySGs+ gU8OgD+EmK4CJS+AVWRgPzPa7YSpeWzw+OJsgWhGacyUN1Lt9mJ9aF5CazlmDjMYeAzy vA5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m4p/pAIDxoyiT/P5bF/PpluPStnlrrbo8cBdcXkS7Js=; b=ofO7G0wErVtJ30rJ1gSYDzRQpJ5K1kurWvlglz+qZng7/Ib2duxJiVlI7INo39cScg QqysXT/RxmQQn3A1YPrW7ktuJPyRlbUNyNzD4rnZZ5H5E+VEgKtklaxrl4PmTuX3rD7L lgc8KP2g+SM+PoYVQ5S7SI2vcTZ1IM0MJ2Mm2o/THCiRgq2bUDYRlv2LvIuyNY5RDQyA p2wVl2IxxXyYnrHyURfKrB0lu1hNJp350LEhvOVPWQDkupjr0a02DBL/ebbDsfObVZKq mydbVBTQhQQTd7E2fpgFzDXtZ6e+r7dTquJATxCYT2kZXsjBL10rj8RakJuzU1SGjXf5 lm+g==
X-Gm-Message-State: AOAM5332iVrztEj1aPMqBiErNtJBJ3uSGX8m7zx3qiPxCIucDZKGkyTn 9q45l7pesDHVhj48ByK8MSs/vOvulXXlyoiUC/YfiA==
X-Google-Smtp-Source: ABdhPJwS4VF8Fd7OdWfWAcVJtw4xOcBTyd2ZdEnqiSFNrV1TGHtmGNKlz77m3f7IWy7SDGpSc1D/EywK6ZanlwQIpzw=
X-Received: by 2002:a05:622a:1184:b0:2f3:db10:7bd0 with SMTP id m4-20020a05622a118400b002f3db107bd0mr7243759qtk.202.1652493765727; Fri, 13 May 2022 19:02:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgT5fucwzw=p8UOZwB1ZcS9ZAKsD+UXYG11WOiu0qbt4FA@mail.gmail.com> <8DABF6F4-4C45-4E78-9EA4-EC84D5FDCEB2@gmail.com>
In-Reply-To: <8DABF6F4-4C45-4E78-9EA4-EC84D5FDCEB2@gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 13 May 2022 22:02:35 -0400
Message-ID: <CAL02cgQV1ukfd25PNkkmUyoS11=f74p-P_iSy9i1=3JPn4V_xQ@mail.gmail.com>
To: thomas leavy <thomasleavy1@gmail.com>
Cc: Mularczyk Marta <marta.mularczyk@inf.ethz.ch>, mls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e6699e05deef2f12"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/_RQlihZiiEH2OfoPVOZvOB7jRKA>
Subject: Re: [MLS] More clarity around validating proposals
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 May 2022 02:03:28 -0000
Yeah, I think this makes sense, and points to a good way to tighten things up. Actually, I think there might be three levels of filtering / assembly: 1. Does each individual proposal make sense for this group? (e.g., not: an Add with the wrong ciphersuite, or a Remove for a non-existent member) 2. Sender assembles list / receiver verifies list according to application-defined policy 3. Is the resulting list a legal sequence of proposals? (e.g., not: Update and Remove for the same leaf, multiple GroupContextExtensions) In terms of spec text, I think you could define rules for (1) and (3), and say that any Commit MUST obey those rules. The individual-proposal rules (1) could probably go in the proposal type sections. The list-of-proposal rules (3) probably need a new subsection, as Marta suggests. Then the commit processing would lay out the above. How does that strike you? --RLB On Fri, May 13, 2022 at 9:36 PM thomas leavy <thomasleavy1@gmail.com> wrote: > I think I get what you are saying, what do you think of the logic below? > > On both sending and receiving there would be a two stage filter. First > stage is filtering based on rules defined by the RFC (arbitrary choosing of > dupe updates, etc). Second stage is filtering based on rules defined by the > application. > > On sending a commit, you would pass the complete list of proposals through > the RFC filter stage, and then pass the remaining proposals to the > application stage for further filtering. The resulting proposal set would > be committed to. Not sure about MUST be SHOULD wording here. > > On receiving, you MUST reject the commit in the case either your RFC rule > filter, or your application rule filter would select any of the committed > proposals for removal, as this is either a protocol or application rule > violation. > > Thanks, > > - Tom > > On May 13, 2022, at 3:45 PM, Richard Barnes <rlb@ipv.sx> wrote: > > > Fair point, but I think what that mainly argues is for harder > receiver-side requirements, not sender-side ones. So maybe we upgrade some > of the SHOULDs discussed below into MUSTs, especially where the result of > !SHOULD is nonsensical (e.g., Remove after Update, 2x > GroupContextExtension). That way, even if the send selection / order is up > to the application, the receivers will all react the same way. > > The only reason that comes to mind why one wouldn't want to rule out some > of these cases is if you were using inclusion in a commit as a signal that > a proposal was received and accepted but overwritten by a later proposal. > But it seems like that's something that can be safely done at the > application level, reserving the Commit for only things that have actual > impact on the group. > > --RLBa > > On Fri, May 13, 2022 at 2:31 PM thomas leavy <thomasleavy1@gmail.com> > wrote: > >> Hey Richard, >> >> One thing I think we should be careful about is just ensuring that >> whatever the spec says that it is prescriptive enough as to not break basic >> interoperability. What I mean by basic interoperability is that if the same >> application wanted to use one MLS implementation for a web client, and >> another implementation for a native client that interoperability would be a >> success assuming that the application implemented each required >> customization point the same way on both clients. >> >> If we leave it too open where one MLS implementation allows filtering >> proposals on receive, and another only inside processing a commit, then it >> becomes likely that it is not possible to make multiple MLS implementations >> work the same way across even across multiple clients of same application. >> I think the RFC does a good job with this around credential validation, it >> is very explicit about when the application needs to review, and what >> should happen if that review fails. >> >> We would be specifying a flow for first processing the set of available >> proposals to fixed rules that are already defined, and then saying that the >> remainder of proposals should be given to the application for additional >> filtering before the commit is created. On the receiving side we would just >> be looking for the application to identify rule violations that should >> result in error given the proposals in the commit. >> >> Thanks, >> >> - Tom >> >> On May 13, 2022, at 2:04 PM, Mularczyk Marta <marta.mularczyk@inf.ethz.ch> >> wrote: >> >> >> Hi Richard, >> >> Thanks for the input! In fact, we’re all for downgrading MUSTs to >> SHOULDs. I think it still makes sense to collect all the rules / guidance >> from the RFC into a single section 13.4. It would contain: >> >> >> 1. Properties that a committed vector of proposals MUST satisfy. They >> are required for correctness or security of MLS.E.g. >> 1. There MUST NOT be a proposal removing the committer >> 2. ExternalInit MUST only be used in external commit >> 3. The signature MUST verify >> 2. Properties that a committed vector of proposals SHOULD satisfy, >> i.e., general guidance). E.g. >> 1. There SHOULD be at most one proposal affecting a leaf >> >> >> >> > Though I have to say I don't love the idea of trying to implement the >> logic to build such a maximal list. >> >> Very simple :) Say you have a proposal list L. To build a maximal valid >> list, start with an empty list LVal. Then for each P in L, do: if LVal with >> P appended is valid, append P to LVal. Else, continue. >> >> Best, >> Marta >> >> ------------------------------ >> *From:* MLS <mls-bounces@ietf.org> on behalf of Richard Barnes < >> rlb@ipv.sx> >> *Sent:* Friday, May 13, 2022 5:05:28 PM >> *To:* Mularczyk Marta >> *Cc:* mls@ietf.org >> *Subject:* Re: [MLS] More clarity around validating proposals >> >> Hi Marta, >> >> Thanks for thinking about this stuff, these are good issues to clarify. >> I agree with your analysis, and the conclusion that the current text is >> ambiguous. Though I think some of the ambiguity may have been intentional, >> to allow for the sorts of policies you describe. >> >> It seems like there's a prerequisite question as to whether we need to be >> prescriptive about these things. One could imagine leaving the set of >> proposals committed up to the application. Different choices by the >> application would have implications that would be worth discussing in the >> spec (e.g., the members could refuse to commit a Remove sent by an external >> proposer), but both the risks and the possibilities to mitigate them seem >> more specific to application deployment contexts, as opposed to core parts >> of the protocol. Personally, I have a pretty strong preference for this >> option. >> >> If we were going to do that, I think the major impact would just be to >> downgrade the MUSTs on this front to SHOULDs. We should probably provide >> some notes of the general character you describe, but we wouldn't need to >> be quite so precise because we would just be providing guidance, not hard >> requirements. >> >> If we're going to go down the path you suggest, the text changes you >> propose sound about right. Though I have to say I don't love the idea of >> trying to implement the logic to build such a maximal list. It might be >> worth noting that it's possible for there to be multiple lists that are >> maximal in this sense, e.g. if two proposals are mutually exclusive with >> each other but compatible with the others. >> >> --Richard >> On Thu, May 12, 2022 at 12:44 PM Mularczyk Marta < >> marta.mularczyk@inf.ethz.ch> wrote: >> >>> Hi all, >>> >>> Me, Tom Leavy and Joël Alwen think that the text in the RFC around >>> validating proposals, choosing which proposals go into a commit and how to >>> validate a received commit could do with a bit more work. >>> >>> The root issue is that Section 13.2 states “The sender of a Commit MUST >>> include all valid proposals that it has received during the current epoch. >>> Invalid proposals include, for example, proposals with an invalid signature >>> or proposals that are semantically invalid, such as an Add when the sender >>> does not have the application-level permission to add new users.” There are >>> two intertwined issues with this text: >>> >>> 1. The qualifier “MUST” >>> 2. The text is too vague about what a “valid Proposal” is. E.g. it >>> could be interpreted to mean a Proposal is “valid” relative to the current >>> group state: Can it be applied to the group as it stands now? Then it’s >>> “valid”. >>> >>> >>> Put simply, it doesn’t make sense to only validate proposals >>> individually. Instead one should validate if the full list of proposals can >>> be committed. Indeed, other parts of the RFC enforce validation steps that >>> apply to the full list. E.g. >>> >>> - A ReInit proposal MUST be the only one in the commit, and other >>> existing proposals SHOULD be preferred (13.2.1). >>> >>> >>> - Out of multiple proposals affecting the same leaf, the committer >>> MUST choose an arbitrary one (13.2, “If there are multiple (…)”). >>> >>> >>> - Out of multiple PSK proposals with the same ID, the committer MUST >>> choose an arbitrary one (13.2). >>> >>> >>> In fact, once extensions come into play there are likely many more >>> similar situations, even ones affecting lists of otherwise benign proposals >>> (e.g. Add/Remove). Suppose a chat app is built on MLS with a custom room >>> moderator roles extension. The app wants MLS to enforce two rules: Only >>> mods can Add/Remove. Rooms should always have at least 1 Mod. Here’s how >>> the RFC’s current text can become a problem: A and B are the only mods in a >>> room. A makes proposal P1 that removes B. Meanwhile, B makes prop P2 that >>> removes A. C gets both proposals. What should C do? >>> >>> - Option 1: validate & cache both proposals. → Problem: C can no >>> longer issue a commit as it “MUST include all valid proposals”. >>> (Alternatively, it does commit to both as instructed by the RFC which >>> leaves the room without a mod.) >>> >>> >>> - Option 2: validate & cache the first prop received (say, P1), but >>> reject P2 as validating both means C can’t commit. → Problem: If someone >>> else commits to P2 by ref. C can’t process the commit as it doesn’t “know” >>> P2. >>> >>> >>> So, to clean all this up a bit more we are working on a PR with 2 main >>> changes: >>> >>> 1. In 13.2, replace “The sender of a Commit MUST include all valid >>> proposals that it has received“ by ”The sender of a Commit MUST commit to a >>> maximal valid list of proposals. The conditions making a list of proposals >>> 'valid' for an epoch are described in Section 13.4. A valid list is >>> 'maximal' if adding any other received proposal would result in an invalid >>> list.“ >>> 2. Add Section 13.4 which collects all rules for validating >>> proposals (currently in 13.2, 13.1, 11.1, 8.3) into 3 procedures: >>> validating an incoming proposal, validating a list of proposals on creating >>> a commit and on receiving a commit. >>> >>> >>> We’d be happy to hear what people think about this! >>> >>> Marta >>> >>> _______________________________________________ >>> MLS mailing list >>> MLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/mls >>> >> _______________________________________________ >> MLS mailing list >> MLS@ietf.org >> https://www.ietf.org/mailman/listinfo/mls >> >>
- [MLS] More clarity around validating proposals Mularczyk Marta
- Re: [MLS] More clarity around validating proposals Konrad Kohbrok
- Re: [MLS] More clarity around validating proposals Richard Barnes
- Re: [MLS] More clarity around validating proposals Mularczyk Marta
- Re: [MLS] More clarity around validating proposals Richard Barnes
- Re: [MLS] More clarity around validating proposals thomas leavy
- Re: [MLS] More clarity around validating proposals Richard Barnes
- Re: [MLS] More clarity around validating proposals thomas leavy
- Re: [MLS] More clarity around validating proposals Richard Barnes
- Re: [MLS] More clarity around validating proposals Mularczyk Marta
- Re: [MLS] More clarity around validating proposals Rohan Mahy