Re: [MLS] Revised MLS charter

Sean Turner <sean@sn3rd.com> Fri, 13 April 2018 18:52 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F37B8127775 for <mls@ietfa.amsl.com>; Fri, 13 Apr 2018 11:52:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 81n9kRyF9QD4 for <mls@ietfa.amsl.com>; Fri, 13 Apr 2018 11:52:33 -0700 (PDT)
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57679127601 for <mls@ietf.org>; Fri, 13 Apr 2018 11:52:33 -0700 (PDT)
Received: by mail-qt0-x22a.google.com with SMTP id a25so2780985qtm.1 for <mls@ietf.org>; Fri, 13 Apr 2018 11:52:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=Aqk19AdIRUpDJqy0GoWtbL3tYB8WgzRdRrrAsOx9fps=; b=kAut5+rQ7IWZo8SACLa5OIQXTNrwl5lV0akLyO+BBykUAqgColbx/f+LlNi2XwIgi7 a2EWzSwXKlLq7iq3J92WNi4/ut+P5ve1Us2HttNkNNLEoNfmxOWnta4gf+9ThAmWhnae zaKdROSDJqc3bWCPKA0ZwA53ynsvQvE9Ve/oU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=Aqk19AdIRUpDJqy0GoWtbL3tYB8WgzRdRrrAsOx9fps=; b=Q/g+G5EPfVaul0a7KaFqp/MmHPrdCAXq6HzDub1Q3EfXUt45xcJDAf9tecdMWDAcwc WcL4CFT/zhPwZvAFU/Sb1s2b9Y8ON655uPYfjltB+fvzM9235K2sCb1MfkVLZdjj+SEI NnxJ6mV2Ys4zuKux5D8hmxImifbfHoDWyx40wkLarBRq4/K4cBSuTVu7Su9HRmABHmoS J3/gETdoG9GmryoafzWhRy8lkigu2af9v5uSROnAkwqfpH8R7KLooElSFLWHFTTFOfoS DEjFCKejlEVS+CvX9gUMs7i2OyyB7F6ovy9Y07YFNBqd6iWUwHJndq8zwM5gmWy5pSD2 ZObg==
X-Gm-Message-State: ALQs6tBy3jTDg7LxlInw132VrUVyglVwVocwq3QPA3U/2VCsTS7TZ5Km viS1OwEmhrvz394vVPWp+8psAmklJxQ=
X-Google-Smtp-Source: AIpwx49t1W/YuYciWb9zuJLj3YalfyU5vxwEGkgpvBNUPX7fpHw7pWgt9BHSyMauBz7qPGlml6qG0w==
X-Received: by 10.200.17.149 with SMTP id d21mr4517851qtj.256.1523645552183; Fri, 13 Apr 2018 11:52:32 -0700 (PDT)
Received: from [172.16.0.18] ([96.231.225.106]) by smtp.gmail.com with ESMTPSA id b13sm2319672qtp.77.2018.04.13.11.52.30 for <mls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Apr 2018 11:52:31 -0700 (PDT)
From: Sean Turner <sean@sn3rd.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Fri, 13 Apr 2018 14:52:30 -0400
References: <E66143BE-F9D8-4073-A83E-10B4344BF15D@sn3rd.com>
To: mls@ietf.org
In-Reply-To: <E66143BE-F9D8-4073-A83E-10B4344BF15D@sn3rd.com>
Message-Id: <5C447405-A453-41A3-8E58-02925FEB450D@sn3rd.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/efLagyphkwkUdtF2c8dGFiQWLKA>
Subject: Re: [MLS] Revised MLS charter
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2018 18:52:36 -0000

Sorry I missed to minor edits from Jonathan Lennox didn’t get copied over:

Messaging Layer Security (MLS) Charter (DRAFT)

Several Internet applications have a need for group key establishment
and message protection protocols with the following properties:

o Message Confidentiality - Messages can only be read
  by members of the group
o Message Integrity and Authentication - Each message
  has been sent by an authenticated sender, and has
  not been tampered with
o Membership Authentication - Each participant can verify
  the set of members in the group
o Asynchronicity - Keys can be established without any
  two participants being online at the same time
o Forward secrecy - Full compromise of a node at a point
  in time does not reveal past messages sent within the group
o Post-compromise security - Full compromise of a node at a
  point in time does not reveal future messages sent within the group
o Scalability - Resource requirements have good scaling in the
  size of the group (preferably sub-linear)

Several widely-deployed applications have developed their own
protocols to meet these needs. While these protocols are similar,
no two are close enough to interoperate. As a result, each application
vendor has had to maintain their own protocol stack and independently
build trust in the quality of the protocol. The primary goal of this
working group is to develop a standard messaging security protocol
so that applications can share code, and so that there can be shared
validation of the protocol (as there has been with TLS 1.3). 

It is not a goal of this group to enable interoperability / federation
between messaging applications beyond the key establishment,
authentication, and confidentiality services.  Full interoperability
would require alignment at many different layers beyond security,
e.g., standard message transport and application semantics.  The
focus of this work is to develop a messaging security layer that
different applications can adapt to their own needs.

While authentication is a key goal of this working group, it is not
the objective of this working group to develop new authentication
technologies.  Rather, the security protocol developed by this
group will provide a way to leverage existing authentication
technologies to associate identities with keys used in the protocol,
just as TLS does with X.509.

In developing this protocol, we will draw on lessons learned from
several prior message-oriented security protocols, in addition to
the proprietary messaging security protocols deployed within
existing applications:

o S/MIME - ​https://tools.ietf.org/html/rfc5751
o OpenPGP - ​https://tools.ietf.org/html/rfc4880
o Off the Record - ​https://otr.cypherpunks.ca/Protocol-v3-4.1.1.html
o Signal - ​https://signal.org/docs/

The intent of this working group is to follow the pattern of
TLS 1.3, with specification, implementation, and verification
proceeding in parallel.  By the time we arrive at RFC, we
hope to have several interoperable implementations as well
as a thorough security analysis.

The specifications developed by this working group will be
based on pre-standardization implementation and deployment
experience, generalizing the design described in:

o draft-omara-mls-architecture
o draft-barnes-mls-protocol

Note that consensus is required both for changes to the current
protocol mechanisms and retention of current mechanisms. In
particular, because something is in the initial document set does
not imply that there is consensus around the feature or around
how it is specified.

Milestones:
May 2018 - Initial working group documents for architecture and key management
Sept 2018 - Initial working group document adopted for message protection
Jan 2019 - Submit architecture document to IESG as Informational
Jun 2019 - Submit key management protocol to IESG as Proposed Standard
Sept 2019 - Submit message protection protocol to IESG as Proposed Standard

Cheers,

spt

> On Apr 13, 2018, at 14:09, Sean Turner <sean@sn3rd.com> wrote:
> 
> All,
> 
> The charter tweaks made since the BOF include tweaking (and reordering) some of the “property” bullets:
> - added message confidentiality
> - message authentication changed to message integrity and authentication
> 
> I know that Ben Schwartz mentioned that we should look at our “full compromise” definition, but in reviewing it the way it’s used in FS and PCS property bullets it looks okay to me.  But, maybe Ben can elaborate a bit.
> 
> Anyway at this point, here’s what we’re working with:
> 
> 
> Messaging Layer Security (MLS) Charter (DRAFT)
> 
> Several Internet applications have a need for group key establishment
> and message protection protocols with the following properties:
> 
> o Message Confidentiality - Messages can only be read
>   by members of the group
> o Message Integrity and Authentication - Each message
>   has been sent by an authenticated sender, and has
>   not been tampered with
> o Membership Authentication - Each participant can verify
>   the set of members in the group
> o Asynchronicity - Keys can be established without any
>   two participants being online at the same time
> o Forward secrecy - Full compromise of a node at a point
>   in time does not reveal past messages sent within the group
> o Post-compromise security - Full compromise of a node at a
>   point in time does not reveal future messages sent within the group
> o Scalability - Resource requirements that have good scaling in the
>   size of the group (preferably sub-linear)
> 
> Several widely-deployed applications have developed their own
> protocols to meet these needs. While these protocols are similar,
> no two are close enough to interoperate. As a result, each application
> vendor has had to maintain their own protocol stack and independently
> build trust in the quality of the protocol. The primary goal of this
> working group is to develop a standard messaging security protocol
> so that applications can share code, and so that there can be shared
> validation of the protocol (as there has been with TLS 1.3). 
> 
> It is not a goal of this group to enable interoperability / federation
> between messaging applications beyond the key establishment,
> authentication, and confidentiality services.  Full interoperability
> would require alignment at many different layers beyond security,
> e.g., standard message transport and application semantics.  The
> focus of this work is to develop a messaging security layer that
> different applications can adapt to their own needs.
> 
> While authentication is a key goal of this working group, it is not
> the objective of this working group to develop new authentication
> technologies.  Rather, the security protocol developed by this
> group will provide a way to leverage existing authentication
> technologies to associate identities with keys used in the protocol,
> just as TLS does with X.509.
> 
> In developing this protocol, we will draw on lessons learned from
> several prior message-oriented security protocols, in addition to
> the proprietary messaging security protocols deployed within
> existing applications:
> 
> o S/MIME - ​https://tools.ietf.org/html/rfc5751
> o OpenPGP - ​https://tools.ietf.org/html/rfc4880
> o Off the Record - ​https://otr.cypherpunks.ca/Protocol-v3-4.1.1.html
> o Signal - ​https://signal.org/docs/
> 
> The intent of this working group is to follow the pattern of
> TLS 1.3, with specification, implementation, and verification
> proceeding in parallel.  By the time we arrive at RFC, we
> hope to have several interoperable implementations as well
> as a thorough security analysis.
> 
> The specifications developed by this working group will be
> based on pre-standardization implementation and deployment
> experience, and generalizing the design described in:
> 
> o draft-omara-mls-architecture
> o draft-barnes-mls-protocol
> 
> Note that consensus is required both for changes to the current
> protocol mechanisms and retention of current mechanisms. In
> particular, because something is in the initial document set does
> not imply that there is consensus around the feature or around
> how it is specified.
> 
> Milestones:
> May 2018 - Initial working group documents for architecture and key management
> Sept 2018 - Initial working group document adopted for message protection
> Jan 2019 - Submit architecture document to IESG as Informational
> Jun 2019 - Submit key management protocol to IESG as Proposed Standard
> Sept 2019 - Submit message protection protocol to IESG as Proposed Standard
> 
> Cheers,
> 
> spt