Re: [MLS] Short review of MLS drafts from the OTRv4 group
Raphael Robert <raphael@wire.com> Thu, 14 February 2019 09:24 UTC
Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62419131056 for <mls@ietfa.amsl.com>; Thu, 14 Feb 2019 01:24:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IPfPShC3IXpk for <mls@ietfa.amsl.com>; Thu, 14 Feb 2019 01:24:13 -0800 (PST)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 553F612F1A2 for <mls@ietf.org>; Thu, 14 Feb 2019 01:24:13 -0800 (PST)
Received: by mail-ed1-x52c.google.com with SMTP id d9so4388682edh.12 for <mls@ietf.org>; Thu, 14 Feb 2019 01:24:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=txaOzCleYFUH8TyQn7mTjyvfYkAu12d5cOxSDH8yUkw=; b=f/OfuZuChPWig7ukwZRh4+WA9+Mli8fBOnWbSq9mFZmxdCKIQAnwFUuxG3zNapHiKY ggoiONRZobBDa/7vq47ELo4HJC5bBUSF4DqX6R+LkT4s1ub2wLIhQUHSMNxszJJxrd5A 7YTejifaBW9bLelHBJlXHyON6i+7GvTH4fB78nAsgvo2g2W9QxaF5GfGNwmRREytEOIs Y8L4Xvg8h9HaJg29RP435Wxtx7TaTbdQ6858V3wme8las93AiCN8YdimMDRIN+CiC+VY ovkcm2PY+yPKIhFplOvLQ3oJE9stFhTy0zcjEi27RQ5Zt0ugTh4hwpWvyI8B3jGVsc1f Cy5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=txaOzCleYFUH8TyQn7mTjyvfYkAu12d5cOxSDH8yUkw=; b=t0ShSXk4cp+2zj1z+MCaKtrHv4E1xcExe+p/O7FNrZxSTw/J/iNf9o4wRI4YdtBZxi W1YGvn1d7vmqn3TjlzDTPlkYOJJFhQI2WBEDu1LzXSPOmZ2/y7PHdRutCOZF2br/IcUs PwHKCzs3o+ZLecQsNyEDpgxkTjaVhCpRC1CSwDfSSzMwuXwEYyj3T/kireM64iVj/6MH IkIHQ1I69RqAPdjFOhxlaFC9tyhR7Z6lwwjSHOEo2WH9i8KBAKLn+Jz4eAnuk0rMk3VJ IX3vAA16PQXqg7cVazSOQLJ9nKxCxImohcENhPGC1VQ+i7tEkV9lBWzXC0v2od0zvhtt Axsg==
X-Gm-Message-State: AHQUAuZkT35bH0G1Fliv1ZllugiD1sF5kn8GetaQfV6XS9+B/zQ5aQ3N 3XIizms1KN1P6U0FHsBAqi3ufk1MWTA=
X-Google-Smtp-Source: AHgI3IbpmyBo3XMP+gq0VX/My5sAVntL9m12kamyV2+CZ9SxOW1NWnXXJglN5jrePhHXm0VwsZZHDQ==
X-Received: by 2002:a17:906:a3c3:: with SMTP id ca3mr2039048ejb.25.1550136251291; Thu, 14 Feb 2019 01:24:11 -0800 (PST)
Received: from rmbp.wire.local (h-62.96.148.44.host.de.colt.net. [62.96.148.44]) by smtp.gmail.com with ESMTPSA id i50sm525419eda.65.2019.02.14.01.24.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Feb 2019 01:24:10 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Raphael Robert <raphael@wire.com>
In-Reply-To: <20190214060520.GA3126@Sofias-MacBook-Pro.local>
Date: Thu, 14 Feb 2019 10:24:09 +0100
Cc: shivankaulsahib@gmail.com
Content-Transfer-Encoding: quoted-printable
Message-Id: <CE60D73A-9E40-413A-82A0-40C52199DD56@wire.com>
References: <20190214060520.GA3126@Sofias-MacBook-Pro.local>
To: Sofia <sofia@autonomia.digital>, mls@ietf.org
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/g33s_7N_2ygV7BKp2UQ1peSJUz8>
Subject: Re: [MLS] Short review of MLS drafts from the OTRv4 group
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 09:24:16 -0000
Hi Sofia,
Thanks for the review!
I’ll focus on your questions regarding deniability for now.
> We are unsure if there is a will of including deniability in this. On some
> points it states:
>
> """
> [[ OPEN ISSUE: Signatures under the identity keys, while simple, have
> the side-effect of preclude deniability. We may wish to allow other
> options, such as (ii) a key chained off of the identity key, or (iii)
> some other key obtained through a different manner, such as a
> pairwise channel that provides deniability for the message
> contents.]]
> """
>
> """
> Non-Repudiation and Deniability
> As described in {{client-compromise}}, MLS provides data origin authentication
> within a group, such that one group member cannot send a message that appears to
> be from another group member. Additionally, some services require that a
> recipient be able to prove to the messaging service that a message was sent by
> a given Client, in order to report abuse. MLS supports both of these use cases.
> In some deployments, these services are provided by mechanisms which allow the
> receiver to prove a message's origin to a third party (this if often called
> "non-repudiation"), but it should also be possible to operate MLS in a "deniable"
> mode where such proof is not possible. [[OPEN ISSUE: Exactly how to supply this
> is still a protocol question.]]
> """
>
> If this is something that wants to be included, we will be very happy to answer
> questions. Nevertheless, there is no way, currently, to achieve the same deniability
> properties OTRv4 has in a group setting.
>
> We are also unsure of the difference between deniability and non-repudation.
The will is definitely there to allow deniability in MLS. However since that property is quite divisive, the current status quo is that it should be optional.
In practical terms, *some* deniability could be achieved by distributing the message signing keys through a deniable channel (similar to how the sender keys concept works). In a way this puts deniability “out of scope” in the sense that the distribution of signing keys is not in the charter. To my knowledge, there is no other substantial proposal on how deniability could be achieved, but it would be great to hear more from you on that subject!
Raphael
- [MLS] Short review of MLS drafts from the OTRv4 g… Sofia
- Re: [MLS] Short review of MLS drafts from the OTR… Benjamin Beurdouche
- Re: [MLS] Short review of MLS drafts from the OTR… Raphael Robert
- Re: [MLS] Short review of MLS drafts from the OTR… Sofia
- Re: [MLS] Short review of MLS drafts from the OTR… Sofía Celi