Re: [MLS] multiple devices per user?

Simon Friedberger <> Sun, 25 March 2018 00:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7A2E7126BF3 for <>; Sat, 24 Mar 2018 17:06:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OH6MspPqa5AY for <>; Sat, 24 Mar 2018 17:06:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A5CFB12025C for <>; Sat, 24 Mar 2018 17:06:54 -0700 (PDT)
Received: from [] (helo=[]) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <>) id 1eztBQ-00045m-GG for; Sun, 25 Mar 2018 01:06:52 +0100
References: <> <> <>
From: Simon Friedberger <>
Message-ID: <>
Date: Sun, 25 Mar 2018 01:06:47 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [MLS] multiple devices per user?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 25 Mar 2018 00:06:56 -0000

Hi Jon and Eric!

On 25.03.2018 00:08, Jon Millican wrote:
> I’d like to second Ekr’s points here. To provide a concrete use case,
> in Facebook Messenger, we want Secret Conversations to work for a user
> as soon as they log in on a new device. This somewhat blurs the
> boundary between device loss/recovery and concurrent use as it is used
> for both situations; but we don’t want to require existing device to
> authorise new devices as – to be perfectly frank – we’re not convinced
> that most people would actually do this, and it puts a potential
> usability barrier in the way of people using the E2E mode.

Won't this give us e2e encryption but no e2e security against active
attackers? If we remove authentication in favor of ux what's to stop an
mitm attacker?

> it's that there are use cases in
> which users want to add a new device without an existing device being
> online, and these are incompatible with type #0 designs.

I'm not sure that devices being added is such a common occurence that it
would prohibit asking for authorization from a different device.

> Generally, I wouldn't expect them to take any action at all. It's a user's
> responsibility to ensure that the right number of devices are registered
> to their account, just as its common for the number of Web browsers
> one has attached to ones Gmail account.

How would a user find out which devices are registered to their account
when they don't have to authorize them? And if it can be done, isn't
"authorize-on-first-use" more user-friendly than expecting that users
will maintain a list of authorized devices, i.e. check at random
intervals if the list is still correct?

Best Regards,