Re: [MLS] Hiding content type

Raphael Robert <> Mon, 13 July 2020 16:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8C8CF3A156D for <>; Mon, 13 Jul 2020 09:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GIZehmlgovfA for <>; Mon, 13 Jul 2020 09:32:42 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 13B9E3A1523 for <>; Mon, 13 Jul 2020 09:32:36 -0700 (PDT)
Received: by with SMTP id s10so17180114wrw.12 for <>; Mon, 13 Jul 2020 09:32:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=4fd+4KL2fAmoLtu69dfSr8B9uqtnvb1eDdgOkd9wXPI=; b=UB9TZ105PU06Aege51zv6Kyp5jmZPZC1S+Rx107zG/zbkZ0g18hjfHKS1jhtuf8huh hTuLgC5fx1hy9NwGr9O6EhoJBn84iIrp5g+m5xDCKjFdwmUpLmSWe1YY7mDRsKePmWju Qq/XcV3y3xqy4a/0O3QHGmfl1nJooSlsDuWrdR+eXy008U82T7r5SV9bSpTeT1re60sG mzQrx1SZdflwIQ8XvXhhYsS/hdUcCAzmz+RDSjzeisAkV/dXFBw9G7kM6NHzdcB+qJ+s 6bfmlPhi0o0XpMCO5zDikDz/CG5oI+vgzIfGk8OIi/4UDLKOaTC4AkDoXMEoHr9VwCZ+ Vs6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=4fd+4KL2fAmoLtu69dfSr8B9uqtnvb1eDdgOkd9wXPI=; b=Ap2KDxmqpIL9XHGhQx08f93vmN2MRCiEsADBgxV6Y40AcY1EXwojyu0LXDWb//xkh6 k/oFj0KrXPbo/uS09O85zb3zUplEUoHfls12dRZpres0OQMB6wEWoGn1raM2vUD16o/5 /Ofv5uT9iEpHkLT7sYMB8dn1tn//csMQjWeUFOiAFdwh6DdYMY9b6oJuT0nmyfZL6LRG 91HaIRtGNnrs21GpcqsFMthBTc2bzDIQv+H0JFqZ3zIZEhFhER60XSviZ8Zc9CIqzMC0 t1kUSZrzrHWxZqia402bOwnqVydhpUAFSvOqJ41qur78PIjSDprfOpxhAgZ8SlfV11Ef k1Cw==
X-Gm-Message-State: AOAM5325/F2vFn/+3eAABKaXhtteiOQrioW9dP2WsTQ0eKzIhocaPP0A rvx++ClDinV0LnKtC4dFJS/ICw==
X-Google-Smtp-Source: ABdhPJxqYRnEgXSZ5YCYSWxBisyBRle8jrbGHAkLDlkN9KRTNvvtD5JDIamJsDUxfhYepEMksbVazA==
X-Received: by 2002:a5d:5187:: with SMTP id k7mr183240wrv.39.1594657954339; Mon, 13 Jul 2020 09:32:34 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id o9sm24035423wrs.1.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Jul 2020 09:32:33 -0700 (PDT)
From: Raphael Robert <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_AF49DD84-0876-406D-B8D2-E60C17805F82"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Mon, 13 Jul 2020 18:32:02 +0200
In-Reply-To: <>
Cc: Brendan McMillion <>, Messaging Layer Security WG <>
To: Richard Barnes <>
References: <> <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [MLS] Hiding content type
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Jul 2020 16:32:45 -0000

As mentioned on the call, I think that “privacy by design” is the right approach (unless proven otherwise in specific cases) and we should go forward with this.


> On 13 Jul 2020, at 17:56, Richard Barnes <> wrote:
> On Mon, Jul 13, 2020 at 10:57 AM Brendan McMillion < <>> wrote:
> With respect to using an opaque epoch id, I believe this was proposed in #245 <> and consensus was against it because it makes it more difficult to implement the DS. It's also not clear to me what security properties you want from an opaque epoch id, because the current PR doesn't provide collision resistance and I'd expect this to be a source of confusion and bugs.
> I think the discussion on #245 got derailed a bit by the focus on non-linear epochs.  The point here is that even in a case where you have linear history, I think there's intrinsic value in the epoch ID being opaque because it gives intermediaries less opportunity for ossification.
> As far as collision resistance, I'm not too worried about collisions among 64-bit random values, especially as the scope for collision is fairly small, arguably just one epoch.
> With respect to encrypting the content type, it also seems to me that this would cause issues because different content types have different delivery guarantees. Specifically: messages are allowed to be unordered and lossy, proposals are allowed to be unordered but not lossy, and commits are both ordered and not lossy. In the deployment scenarios we've talked about, the DS essentially always needs to know the content type to provide this. Conversely, you don't get much additional privacy from encrypting the content type because an eavesdropper can see the epoch id change and infer which message was a commit, or see a dropped message getting re-sent and infer it was a proposal.
> I don't disagree that there are different guarantees you need, but like I said, I think the idea here is to be conservative by default.  There are systems in which you can hide the metadata you're talking about with things like mixnets and dropboxes.  Keeping the ciphertext as opaque as possible keeps the door open to running MLS over those systems without MLS's own metadata undermining their privacy properties.
> FWIW, in the systems I'm looking at building, this PR does not make any difference, because clients use separate channels for Proposals/Commits vs. application data and the server doesn't check.
> --Richard
> On Mon, Jul 13, 2020 at 8:56 AM Richard Barnes <> wrote:
> Hi all,
> Recall that PR#349 does two things (1) use an opaque epoch ID, and (2) encrypt the content type of the message (application / proposal / commit) [1].
> There was some discussion on the call last week that encrypting the content type might not be that useful, since an application that relies on a server to assure ordering of commits will need to at least be able to tell commits from other things.  Of course, even if the content type is encrypted by default, the application can add it back in authenticated data, or in some unauthenticated wrapper.
> Net of those considerations, I'm personally still inclined to merge the PR, to have a conservative baseline.  But those on the call thought it would be useful to pose this to the group, so please speak up if you have concerns.
> --Richard
> [1] <>_______________________________________________
> MLS mailing list
> <>
> <>
> _______________________________________________
> MLS mailing list