IETF Logo Mail Archive

Re: [MLS] Recommendation for encrypted group operations

Eric Rescorla <ekr@rtfm.com> Tue, 30 January 2024 17:11 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C013CC14CF0C for <mls@ietfa.amsl.com>; Tue, 30 Jan 2024 09:11:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dh0QdT4DsWUk for <mls@ietfa.amsl.com>; Tue, 30 Jan 2024 09:11:32 -0800 (PST)
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA064C14F706 for <mls@ietf.org>; Tue, 30 Jan 2024 09:11:32 -0800 (PST)
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-600273605a9so41935657b3.1 for <mls@ietf.org>; Tue, 30 Jan 2024 09:11:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1706634692; x=1707239492; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=jlkEm4U/8h+4tozAWr842IZld815CsA+W6eQEuM2JBM=; b=RNKSFcm3I4SrPkEsARXLrSnxOBjsxZbqb3v87aGfbZNKhmiE106BFCRn2u84LSAiPh HAxlYzBjrrKKHN0p9V3mhJqLbxF25rUPlkz/9WpFHMvy/xjM63rJa1i3MehiXrei5T2u U3ANB5x40LSf8o6m97kgFgyTEFqtP7btEKbPSPjd07M1Rg02qXOu8AqDIBiP9txO9f9S q4Rct4o6OoBajAQ1wnZxrwGgUv79CTpomo5jfSPQD2WgxVMZsP7VChIcQKMIObxKsWRa 5/b+B6gvnQyyoUJmnt2JKjgSdq7x3wIxhpZQHfUt4xrIxXKbBcWlrJS6wdE3mxP6XKBt a42Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706634692; x=1707239492; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jlkEm4U/8h+4tozAWr842IZld815CsA+W6eQEuM2JBM=; b=OE41P5CDYhkA1QjhMcDDhotcxty4UfLS+xLjINMLB1vle0mpqaVhDKjVZCVmxL96Wq GbwP6kilHQa2v8nMvMN+z7VPb/r1vHR8p136g9BvVuleF1cDUVwhMKmTkQPFPktaSguR MXd4f8F0CmWlXkNgTJUfHqzkqgB8Si07G4jGsUw0g+OVcaLEA/L704VdTDWGu18muQsf UYjUgU+Et/JQM3WPE+V1kmbO5h2Dae3i4G2CKXN8rrb/lco5zO1Fjc7NI/ocnag5g9oQ yIjvdbe+92aEkNvudB7YSjofR7+wEUC0nOIEZCqOU7YoMRC7x+6uclX5WQ1ysvATg3kU f+wQ==
X-Gm-Message-State: AOJu0YyXCT1zNAL5qesVqHD16q4sWqb+NKwgezLmxVgvzI1M6DHytSYS zm/6YGhq9Ydwdn0ieiYJmWPqJrrt5ddk56zUayh9UefgGUWdeuEpIRtIjlF3dcWusdlnwV1uS9D Yhsjj9FMnC9EQcmdvGHrPYV45lhydwsAdZeHs553twMMI2e1JT6U=
X-Google-Smtp-Source: AGHT+IFC3DewMW2enpA1/C1ceDCye0QDAC+rAuvDVfDdbyw82YK3BrpMKkXHhEh3WSi/v4sRKYNJO5ITyO9ja+pC3ek=
X-Received: by 2002:a5b:38f:0:b0:dc6:aeba:5aaf with SMTP id k15-20020a5b038f000000b00dc6aeba5aafmr840282ybp.19.1706634691492; Tue, 30 Jan 2024 09:11:31 -0800 (PST)
MIME-Version: 1.0
References: <CAJTd26+hJjKaZZenN3bQuVaifJotVhbpQoYEBLBaN7KiOw2_Qg@mail.gmail.com>
In-Reply-To: <CAJTd26+hJjKaZZenN3bQuVaifJotVhbpQoYEBLBaN7KiOw2_Qg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 30 Jan 2024 09:10:53 -0800
Message-ID: <CABcZeBNT=EBMrmOJ1pBpaThs6BcVuajXYt+ziXzEMZU0LKjfjg@mail.gmail.com>
To: Brendan McMillion <brendanmcmillion@gmail.com>
Cc: MLS List <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008c580206102cda5d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/dclJhanfXVJN_7LClNuqkm4AQpE>
Subject: Re: [MLS] Recommendation for encrypted group operations
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 17:11:33 -0000

On Tue, Jan 30, 2024 at 8:57 AM Brendan McMillion <
brendanmcmillion@gmail.com> wrote:

> Hi mls@
>
> One of the first topics of discussion at our last interim was on whether
> or not to keep the recommendation in the architecture draft to use
> encrypted group operations whenever possible. This is issue #210 on the
> repo [1].
>
> The desire to remove this recommendation comes from the fact that many mls
> deployments and the mimi wg do not follow it. It doesn't seem that the
> minutes have been uploaded yet, but my memory of the conversation at the
> interim is that:
> - We generally agree that encrypted group operations would, in an ideal
> world, be preferred. I recall several people saying it's the "moral thing
> to do."
> - Acknowledging that most deployed applications don't encrypt group
> operations. We listed the deployments we knew of to prove this.
>
> The after-the-fact answer I came up with for why most applications don't
> encrypt group operations is that they can 1.) guarantee strong
> transport-layer security, 2.) don't care about leaking group membership to
> a central server, and 3.) want to use that central server to provide
> certain features. Despite being well-represented in the mls wg,
> applications that meet criteria 1, 2 and 3 is actually quite a specific
> subset within the space of what MLS was designed to support. Any
> decentralized application would not meet these criteria (no transport-layer
> encryption). Signal doesn't either (doesn't leak membership).
>
> Given this, my proposal is to keep the recommendation but state that
> applications may use unencrypted operations if they have an explicit
> reason. I've opened a PR to that effect here:
> https://github.com/mlswg/mls-architecture/pull/247
>
> This is in contrast with a PR from Eric that removes the recommendation
> and describes the tradeoffs between encrypted and unencrypted group
> operations on relatively equal footing:
> https://github.com/mlswg/mls-architecture/pull/246
>
> Please say on the list if you have a preference between the PRs. Thank you!
>

Just to clarify the process here: this is the start of a discussion, not a
consensus call, though I suppose the chairs might do a consensus call later
if that's necessary.

With that said, while I agree that it would be better if people encrypted
the group messages, the objective of IETF documents is not to talk about
the ideal world but to actually document protocol specifications for people
to implement.

Here in the IETF, we are specifying precisely one such protocol that uses
MLS, which is to say MIMI, and as Brendan notes, that protocol uses
unencrypted group operations. Text like what appears in PR #246 that
suggests that people ought not to do what we in IETF are in fact doing
serves mostly to confuse people and make us look uncoordinated [0].

-Ekr

[0] See also RFC 6919 "MUST (BUT WE KNOW YOU WON'T)" and  "OUGHT TO".








> 1. https://github.com/mlswg/mls-architecture/issues/210
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email