IETF Logo Mail Archive

Re: [MLS] Recommendation for encrypted group operations

Brendan McMillion <brendanmcmillion@gmail.com> Tue, 30 January 2024 21:10 UTC

Return-Path: <brendanmcmillion@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 964A9C151069 for <mls@ietfa.amsl.com>; Tue, 30 Jan 2024 13:10:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HxrGClwqBer2 for <mls@ietfa.amsl.com>; Tue, 30 Jan 2024 13:10:51 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5082FC14F6B3 for <mls@ietf.org>; Tue, 30 Jan 2024 13:10:51 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-55f15762840so2515022a12.0 for <mls@ietf.org>; Tue, 30 Jan 2024 13:10:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706649049; x=1707253849; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wCOTmsVAS4o3Zb2bQs6bSAwAqwgiB3L6/cZpZLW8tZs=; b=S8Bwm2R/kOWqIjimLR6c5lfeYZv11WPBX0QFy5lICYWwcR+3DZd/+iKZd1rHt0udqC AewDPfWGdudBxiZrSoV3JeYxx2IDmbHW4jgGBHTE+GogG7DrgYcOy9RhV0kZtdjAcDMI l39NPHzpVNgSM6uhcOFFbB2sPmbT5ezo6pmbhdrIsi9IM8HbGYtQeEUJ3Db7XYaPZV3g dMDLxDH1DwbgIJLJ54oR6QgAfHLtthSXnD1lVsLDMW+Edf2RUHZaaAqvXrF0MJk0gzMM 5nDnR+hihGZICIO6/cTguXP2wthsuziZDfUcyhxQOV3WS6UkmXZAdhoiXSbm7H2AaKpH FtpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706649049; x=1707253849; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wCOTmsVAS4o3Zb2bQs6bSAwAqwgiB3L6/cZpZLW8tZs=; b=WWmTJh9KWclkpBunou7Fr9dlvt55oiCtpO8/iIfFvnA1S2DQreQqRX1R5P8QqdNz6F NXHFagS+mz7bC6rAROr7X4AKyzesj3C2/LTsziy+PZscLTI1C5CFV76LmlWxRHLRnvXW VQKdrXyWbkY/ugNWKIdiH+F3gco8N/ecpnmnfak/jYhyLsSnRfPIVI3FzWf5Nl00e/xt URMZMAN4lB4CI3QLJLLUNNm3OWe0NdDgxyKCT/PCsFzgMMPdZES0hRaENGeyxbE25j76 WA7O5V7E9vhRguA2FaZPtYwtdy9U8Y54b6RqHega+KbE7A15BboOxK81f5mJJH5PaLPM mYYw==
X-Gm-Message-State: AOJu0YzFcNPwyd/qs78tnp9BZF3rQJCtjriTw88C7fIScCqOobTMrv9F WwCfHRlEC+PflURDA54dkOM8aVa6OJMhyD5MdrhhYutYi8897ssvH/ZIXzaTlwYjZ1r+gtZTRfn MA+1EVMdb61ID3Cd1oLguQPTbimH6rWiJ5Po=
X-Google-Smtp-Source: AGHT+IHOZYyQwc8pCjLEf1iYbIm5GLWDf2SO8rPsCHpw9+GVe8DO0xAJEE6dr7HgFvPrXyfmm2IYgEiO7qLcy9JSfFw=
X-Received: by 2002:a05:6402:7cb:b0:55f:4ce3:5988 with SMTP id u11-20020a05640207cb00b0055f4ce35988mr1641820edy.8.1706649048961; Tue, 30 Jan 2024 13:10:48 -0800 (PST)
MIME-Version: 1.0
References: <CAJTd26+hJjKaZZenN3bQuVaifJotVhbpQoYEBLBaN7KiOw2_Qg@mail.gmail.com> <CABcZeBNT=EBMrmOJ1pBpaThs6BcVuajXYt+ziXzEMZU0LKjfjg@mail.gmail.com> <CAL02cgQkOxg6f1U-GwAWTOBDv96yvV1bEFZ=F7ES+Qhs7vDJLA@mail.gmail.com> <CAJTd26L-ROx_T5RaDU9cZscTzOZGM9zGmgwN=_iAtGWw2jgJUA@mail.gmail.com> <CAL02cgR03wgwLFARPPwx1ROCsvPUk0xR83FSudjv0b7aR21yzg@mail.gmail.com> <CAJTd26L_AVPwnm+5-H2nA_x4j2tLZZOKHykBNmvk0PO9oUL4Ww@mail.gmail.com> <CABcZeBPOGtFu=UXyqV-ftiMYx1rXJYbxRNE+Hfggsws8bZ2zwA@mail.gmail.com>
In-Reply-To: <CABcZeBPOGtFu=UXyqV-ftiMYx1rXJYbxRNE+Hfggsws8bZ2zwA@mail.gmail.com>
From: Brendan McMillion <brendanmcmillion@gmail.com>
Date: Tue, 30 Jan 2024 13:10:37 -0800
Message-ID: <CAJTd26JXHjqVbHs91g+oUbuBrX88geOjbGqz1EW-7TUOLgAQWg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Richard Barnes <rlb@ipv.sx>, MLS List <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000051d6bf06103032c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/d5OniPrnBkASx6tejmBZ99m-EKc>
Subject: Re: [MLS] Recommendation for encrypted group operations
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 21:10:55 -0000

#1 is only an issue if you are supporting very very large groups, or maybe
if you have very inefficient credentials. #2 does not immediately resonate
with me, as it sounds more like a concern that you would have in corporate
environments?

I personally have not followed the mimi wg very closely and I can not say
why they made this decision.

On Tue, Jan 30, 2024 at 12:58 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Tue, Jan 30, 2024 at 12:41 PM Brendan McMillion <
> brendanmcmillion@gmail.com> wrote:
>
>> I appreciate the point about the current text seeming like an RFC 6919
>> "should (but won't)" which is why my proposed resolution was to state the
>> specific common reason why the recommendation wouldn't be followed. You're
>> claiming without evidence that the recommendation should be removed because
>> encrypted group operations have a "real cost" that is "clearly
>> prohibitive". This sort of thinking becoming common is what I think we
>> should try to avoid, and why the recommendation should stay. I'm working on
>> such an MLS deployment <https://xmtp.org/roadmap>. The cost is minimal
>> and it actually simplifies things quite a bit to assume nothing of the DS.
>>
>
> Richard in fact did state evidence in his original message, specifically
> that:
>
> 1. "Without this optimization, commits impose linear cost in units of data
> sent by the committer to new joiners, and with large constants because of
> credentials."
> 2. "there are legitimate reasons to have a server act as a policy
> enforcement point as a secondary check on clients (e.g., in cases where
> clients might be adversarial to the interests of the policy controller)."
>
> Those certainly seem like "real costs". Do you think either of those
> statements is untrue?
>
> Perhaps your argument is with "clearly prohibitive", but the relevant
> evidence for that is that when the relevant IETF WG (MIMI) considered this
> matter, they concluded that it was impractical to have encrypted group
> operations. Of course, MIMI could be wrong about that, but then what you
> should be doing is trying to convince them, and perhaps providing text
> about why that analysis is incorrect, to go into this document. Absent
> that, having a naked recommendation doesn't do anything meaningful to
> impact people's behavior and, as I said, mostly makes the IETF look like it
> doesn't have a consistent view.
>
> -Ekr
>
>
>
>
>> On Tue, Jan 30, 2024 at 10:51 AM Richard Barnes <rlb@ipv.sx> wrote:
>>
>>> This brings us back to EKR's point about RFC 6919.  MLS supports those
>>> things, but at real cost.  So yes, some applications might choose to take
>>> on that cost, but to date, nobody has.  This document should be providing
>>> guidance to implementors about how to make good engineering decisions, not
>>> exhorting them to do the most confidentiality-preserving thing at all costs.
>>>
>>> BTW MIMI is making this decision intentionally -- it has already been
>>> discussed pretty extensively, and the costs are clearly prohibitive.  The
>>> considerations are documented in mailing list posts and minutes, and I'm
>>> sure they will make it into the documents.  And nothing we write in this
>>> document can compel that WG to do anything anyway, it's an informative
>>> document.
>>>
>>> --RLB
>>>
>>> On Tue, Jan 30, 2024 at 8:19 AM Brendan McMillion <
>>> brendanmcmillion@gmail.com> wrote:
>>>
>>>> You can workshop the exact text of my email, but the same point still
>>>> stands. We could instead say we're discussing applications that "accept
>>>> leaking group membership to a central server" and "need to use that central
>>>> server to provide certain features". All 3 of these criteria /must/ be met
>>>> to justify using unencrypted group operations. However, MLS was
>>>> painstakingly designed to make meeting any of these 3 criteria /optional/:
>>>> - MLS was designed to be secure without transport encryption
>>>> - MLS was designed to be able to support Sealed Sender-type operation
>>>> - MLS was designed to work on relatively simple Delivery Services that
>>>> are agnostic to the protocol
>>>>
>>>> Keeping the recommendation to use encrypted group operations is not
>>>> passing judgement on applications that use unencrypted group operations. If
>>>> mimi (or any other application) is unable to encrypt group operations
>>>> despite this being a first-class feature of mls, I would just like them to
>>>> make that decision intentionally and document it.
>>>>
>>>> On Tue, Jan 30, 2024 at 9:48 AM Richard Barnes <rlb@ipv.sx> wrote:
>>>>
>>>>> My take here is broadly in line with EKR here.  I have a couple of
>>>>> problems with Brendan's analysis here:
>>>>>
>>>>> First: #3 on Brendan's list says "want to" like it's a personal
>>>>> desire, but it's actually an important objective engineering consideration:
>>>>> Operating MLS is dramatically more efficient in large groups if a server
>>>>> caches the tree, to the point where groups of any size are basically
>>>>> unworkable without this optimization.  (Without this optimization, commits
>>>>> impose linear cost in units of data sent by the committer to new joiners,
>>>>> and with large constants because of credentials.)
>>>>>
>>>>> Second: #2 "don't care about leaking" similarly discounts a legitimate
>>>>> engineering trade-off.  It's not that the apps exposing membership to the
>>>>> server are just being lackadaisical; there are legitimate reasons to have a
>>>>> server act as a policy enforcement point as a secondary check on clients
>>>>> (e.g., in cases where clients might be adversarial to the interests of the
>>>>> policy controller).
>>>>>
>>>>> Calling a set of apps that collectively cover billions of users "quite
>>>>> a specific subset" is certainly a take, but not one I can agree with.
>>>>>
>>>>> If I were writing this myself, the outline would be:
>>>>> * In principle, encrypting MLS handshake messages provides the highest
>>>>> level of confidentiality
>>>>> * In practice, this imposes heavy performance costs
>>>>> * Here are some guidelines that apps can use to decide where they want
>>>>> to land on this trade-off
>>>>>
>>>>> EKR's PR is quite close to this, so I would propose we workshop that
>>>>> text a little and then adopt it.
>>>>>
>>>>> --Richard
>>>>>
>>>>>
>>>>> On Tue, Jan 30, 2024 at 7:11 AM Eric Rescorla <ekr@rtfm.com> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Jan 30, 2024 at 8:57 AM Brendan McMillion <
>>>>>> brendanmcmillion@gmail.com> wrote:
>>>>>>
>>>>>>> Hi mls@
>>>>>>>
>>>>>>> One of the first topics of discussion at our last interim was on
>>>>>>> whether or not to keep the recommendation in the architecture draft to use
>>>>>>> encrypted group operations whenever possible. This is issue #210 on the
>>>>>>> repo [1].
>>>>>>>
>>>>>>> The desire to remove this recommendation comes from the fact that
>>>>>>> many mls deployments and the mimi wg do not follow it. It doesn't seem that
>>>>>>> the minutes have been uploaded yet, but my memory of the conversation at
>>>>>>> the interim is that:
>>>>>>> - We generally agree that encrypted group operations would, in an
>>>>>>> ideal world, be preferred. I recall several people saying it's the "moral
>>>>>>> thing to do."
>>>>>>> - Acknowledging that most deployed applications don't encrypt group
>>>>>>> operations. We listed the deployments we knew of to prove this.
>>>>>>>
>>>>>>> The after-the-fact answer I came up with for why most applications
>>>>>>> don't encrypt group operations is that they can 1.) guarantee strong
>>>>>>> transport-layer security, 2.) don't care about leaking group membership to
>>>>>>> a central server, and 3.) want to use that central server to provide
>>>>>>> certain features. Despite being well-represented in the mls wg,
>>>>>>> applications that meet criteria 1, 2 and 3 is actually quite a specific
>>>>>>> subset within the space of what MLS was designed to support. Any
>>>>>>> decentralized application would not meet these criteria (no transport-layer
>>>>>>> encryption). Signal doesn't either (doesn't leak membership).
>>>>>>>
>>>>>>> Given this, my proposal is to keep the recommendation but state that
>>>>>>> applications may use unencrypted operations if they have an explicit
>>>>>>> reason. I've opened a PR to that effect here:
>>>>>>> https://github.com/mlswg/mls-architecture/pull/247
>>>>>>>
>>>>>>> This is in contrast with a PR from Eric that removes the
>>>>>>> recommendation and describes the tradeoffs between encrypted and
>>>>>>> unencrypted group operations on relatively equal footing:
>>>>>>> https://github.com/mlswg/mls-architecture/pull/246
>>>>>>>
>>>>>>> Please say on the list if you have a preference between the PRs.
>>>>>>> Thank you!
>>>>>>>
>>>>>>
>>>>>> Just to clarify the process here: this is the start of a discussion,
>>>>>> not a consensus call, though I suppose the chairs might do a consensus call
>>>>>> later if that's necessary.
>>>>>>
>>>>>> With that said, while I agree that it would be better if people
>>>>>> encrypted the group messages, the objective of IETF documents is not to
>>>>>> talk about the ideal world but to actually document protocol specifications
>>>>>> for people to implement.
>>>>>>
>>>>>> Here in the IETF, we are specifying precisely one such protocol that
>>>>>> uses MLS, which is to say MIMI, and as Brendan notes, that protocol uses
>>>>>> unencrypted group operations. Text like what appears in PR #246 that
>>>>>> suggests that people ought not to do what we in IETF are in fact doing
>>>>>> serves mostly to confuse people and make us look uncoordinated [0].
>>>>>>
>>>>>> -Ekr
>>>>>>
>>>>>> [0] See also RFC 6919 "MUST (BUT WE KNOW YOU WON'T)" and  "OUGHT TO".
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> 1. https://github.com/mlswg/mls-architecture/issues/210
>>>>>>> _______________________________________________
>>>>>>> MLS mailing list
>>>>>>> MLS@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/mls
>>>>>>>
>>>>>> _______________________________________________
>>>>>> MLS mailing list
>>>>>> MLS@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/mls
>>>>>>
>>>>>

v2.23.0 | Report a Bug | By Email