[MLS] Short review of MLS drafts from the OTRv4 group
Sofia <sofia@autonomia.digital> Thu, 14 February 2019 06:05 UTC
Return-Path: <sofia@autonomia.digital>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB14C131139 for <mls@ietfa.amsl.com>; Wed, 13 Feb 2019 22:05:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=autonomia.digital
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0L2Bl1SmKsCy for <mls@ietfa.amsl.com>; Wed, 13 Feb 2019 22:05:32 -0800 (PST)
Received: from mail.autonomia.digital (mail.autonomia.digital [185.108.76.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AF0A131016 for <mls@ietf.org>; Wed, 13 Feb 2019 22:05:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=autonomia.digital; h= date:from:to:cc:subject:message-id:mime-version:content-type; s= mail; bh=edryhGgUFxQQ6idUf5p4j0MZsvzAwnM0O3AGY3I0o6g=; b=VK/2749 71WOnobLflJ6uf/JQrbLeGexVAfyCrpI7wh/2KhJg+kGMOFILh/FftNHa2HJNCnP /viT1DhJ135mCaJyl79R9gByH5Ag+4rksGPhjv1UM51CJj9fiTHUXwUS0FRHvLJm swJTzOTI9KhbQ38qPozm1NS0Wyl4pWJpZmtM=
Received: (qmail 16868 invoked by uid 0); 14 Feb 2019 05:57:09 -0000
Received: from mail.autonomia.digital (HELO mail.autonomia.digital) (sofia) by mail.autonomia.digital with ESMTPS (ECDHE-RSA-AES256-GCM-SHA384 encrypted); 14 Feb 2019 05:57:09 -0000
Date: Thu, 14 Feb 2019 01:05:20 -0500
From: Sofia <sofia@autonomia.digital>
To: mls@ietf.org
Cc: shivankaulsahib@gmail.com
Message-ID: <20190214060520.GA3126@Sofias-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ"
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/bApZklNPcRcpcngvsJzvhoTnMhw>
Subject: [MLS] Short review of MLS drafts from the OTRv4 group
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 06:05:36 -0000
Hi, everyone! Hope you are good! First of all, thanks so much for all the efforts that this group has made! I attended the past interop meeting but it was hard to collaborate remotely ;) We reviewed both drafts of MLS (https://github.com/mlswg/mls-architecture/blob/master/draft-ietf-mls-architecture.md and https://github.com/mlswg/mls-protocol/blob/master/draft-ietf-mls-protocol.md) in little detail, as they seem to be an ongoing work. The first thing that stood out is that some formatting and restructure might be needed. I really like these two issues: https://github.com/mlswg/mls-protocol/issues/110 and https://github.com/mlswg/mls-protocol/issues/108, as they show that it will be nice (and maybe it will make easier for readers) to have a little bit of more structure. Some improvements on the markdown syntax might be good as well ;) We also think that maybe more formal definitions of the security properties provided by MLS might be needed. Specifically, for 'forward secrecy', for example, the definition given on this paper might be in place: https://eprint.iacr.org/2000/014.pdf We are also unsure on the 'type' of forward secrecy provided. The Signal's X3DH protocol, for example, provides a forward secrecy between strong and weak. We are unsure if the way the Delivery Service, as defined in MLS, when providing the authentication keys and initial keying material, achieves which type of forward secrecy. But, of course, this can be a misunderstood from our side. At some points, it might be nice to give recommendations in the spec: "It is left to the application to determine the interval of time between Update messages.". It is maybe good to provide an example of this time frame. It is also unclear at some points the notation used for the Diffie-Hellman or Elliptic Curve parameters. Related to this, is unsure if this protocol takes into account the cofactor issues. We are unsure if there is a will of including deniability in this. On some points it states: """ [[ OPEN ISSUE: Signatures under the identity keys, while simple, have the side-effect of preclude deniability. We may wish to allow other options, such as (ii) a key chained off of the identity key, or (iii) some other key obtained through a different manner, such as a pairwise channel that provides deniability for the message contents.]] """ """ Non-Repudiation and Deniability As described in {{client-compromise}}, MLS provides data origin authentication within a group, such that one group member cannot send a message that appears to be from another group member. Additionally, some services require that a recipient be able to prove to the messaging service that a message was sent by a given Client, in order to report abuse. MLS supports both of these use cases. In some deployments, these services are provided by mechanisms which allow the receiver to prove a message's origin to a third party (this if often called "non-repudiation"), but it should also be possible to operate MLS in a "deniable" mode where such proof is not possible. [[OPEN ISSUE: Exactly how to supply this is still a protocol question.]] """ If this is something that wants to be included, we will be very happy to answer questions. Nevertheless, there is no way, currently, to achieve the same deniability properties OTRv4 has in a group setting. We are also unsure of the difference between deniability and non-repudation. This is very high-level review. We are very sorry if we misunderstood something. We will be very happy to further check issues, if wanted. We can also help on trying to give more structure, but I'm unsure where this is done: on the github instance? Please, let us know where we can help. Hope this is helpful! -- Sofía Celi (aka cherenkov) @claucece / @cherenkov_d Cryptographic research and implementation at CAD: https://autonomia.digital/ EF74 1A5F 5692 E56F 14F6 243C 3992 6144 F89D 996F
- [MLS] Short review of MLS drafts from the OTRv4 g… Sofia
- Re: [MLS] Short review of MLS drafts from the OTR… Benjamin Beurdouche
- Re: [MLS] Short review of MLS drafts from the OTR… Raphael Robert
- Re: [MLS] Short review of MLS drafts from the OTR… Sofia
- Re: [MLS] Short review of MLS drafts from the OTR… Sofía Celi