Re: [MLS] Hiding content type

"Hale, Britta (CIV)" <britta.hale@nps.edu> Tue, 28 July 2020 05:16 UTC

Return-Path: <britta.hale@nps.edu>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 866843A0C73 for <mls@ietfa.amsl.com>; Mon, 27 Jul 2020 22:16:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2aKBrkoVfMV4 for <mls@ietfa.amsl.com>; Mon, 27 Jul 2020 22:16:42 -0700 (PDT)
Received: from mule.nps.edu (mule.nps.edu [205.155.65.106]) by ietfa.amsl.com (Postfix) with ESMTP id 0A4A53A0C70 for <mls@ietf.org>; Mon, 27 Jul 2020 22:16:41 -0700 (PDT)
X-ASG-Debug-ID: 1595913400-0e39451ec895170001-bGA3T6
Received: from mail.nps.edu (skywalker.ern.nps.edu [172.20.4.117]) by mule.nps.edu with ESMTP id CtVXzb3eP8tMBkKD; Mon, 27 Jul 2020 22:16:40 -0700 (PDT)
X-Barracuda-Envelope-From: britta.hale@nps.edu
Received: from skywalker.ern.nps.edu (172.20.4.117) by skywalker.ern.nps.edu (172.20.4.117) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1531.3; Mon, 27 Jul 2020 22:16:39 -0700
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.173) by skywalker.ern.nps.edu (172.20.4.117) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1531.3 via Frontend Transport; Mon, 27 Jul 2020 22:16:39 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Aevz2ybbYrvJVQbuKBRgFVxZz1mRCggNaX/nxRnY2xE1HCj4TYUifI45p0mjeQTDawKDslbyXs6UHoRvXXM+iNfrDNpJMiuQlPwnSrdJOU0bOto0EpCLUlGLuRCzwb7vr86k4iE4hXYvBbRwc5QN8iKiYxYK9YVgt4OA/ffGfX8O0VV+epEAo4Mc3l4kmJoT5i4fNOMDIA+5nY42Soi3TUn/vZ023oA0cwvEpf6eONo7leVXzbW2TfJL7jq59KhWRUYz7VKcnUQagzbt/zryLR1Nv9h74x2AqwiBQ65NjXVWndjQZNPvkWAoJiUly32GiWQOlVb4BElSNGkDuSrYgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8TmX77M6kqHUqpAx8kuaw7loPrQAlXodXykCvFiAYdE=; b=m3ytlNZNEu9AKU4CMfqNVz7uADwg1kWI4jqcOZn5f70RQq0v3w9rj+YJaSazI2CGxTW0oDQ0yRwKOrq5S+y0q9OuaTx/t0d+fS0hWKClWHAfFVQDWOL9aAzvI8HyLhACJxQ5UfeHHd/pnLF4v+95sqXEwr+FweTrvkiTvNnG2RgmvikWgZ+l16cQasHpNPtFpglgBYY1ppkXo5yrjocZB6VNOqXvJlAb4gzCN9Sk6ZkdQ7B6CcEcPDQUbmKI2583sqlD/TSYJyQwNcyZS2NENeVTSGcba2WzvfiW8aLRbQ9jwjLqFBp3fjM/1tsdG/QKd1hNLqfuMvzsy3klJmVo4A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nps.edu; dmarc=pass action=none header.from=nps.edu; dkim=pass header.d=nps.edu; arc=none
Received: from BY5PR13MB3348.namprd13.prod.outlook.com (2603:10b6:a03:1aa::23) by BY5PR13MB3288.namprd13.prod.outlook.com (2603:10b6:a03:186::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.9; Tue, 28 Jul 2020 05:16:38 +0000
Received: from BY5PR13MB3348.namprd13.prod.outlook.com ([fe80::cd68:c4a7:9a8e:7f33]) by BY5PR13MB3348.namprd13.prod.outlook.com ([fe80::cd68:c4a7:9a8e:7f33%7]) with mapi id 15.20.3239.015; Tue, 28 Jul 2020 05:16:38 +0000
X-Barracuda-Effective-Source-IP: UNKNOWN[2603:10b6:a03:186::28]
X-Barracuda-Apparent-Source-IP: 2603:10b6:a03:186::28
From: "Hale, Britta (CIV)" <britta.hale@nps.edu>
To: Chelsea Komlo <chelsea.komlo@gmail.com>, "mls@ietf.org" <mls@ietf.org>
CC: "rlb@ipv.sx" <rlb@ipv.sx>, "brendan=40cloudflare.com@dmarc.ietf.org" <brendan=40cloudflare.com@dmarc.ietf.org>
Thread-Topic: [MLS] Hiding content type
X-ASG-Orig-Subj: Re: [MLS] Hiding content type
Thread-Index: AQHWWR1miPCJW/kzdkaeKDSwZdPxN6kFmZ8AgAAQhICAAAtsAIAA+9iAgBBmLQCAAY5egIAAHi+AgAAqY4CAA4bMgP//n6WA
Date: Tue, 28 Jul 2020 05:16:37 +0000
Message-ID: <B72B8E66-D973-460A-9520-27D8AC30E4FA@nps.edu>
References: <CAL02cgT4jBiJNCoRBsBc7hRWBX0qzmZjC8B8XmJnGcZXgEiCdg@mail.gmail.com> <CABP-pSTW=7jK2hRHLYwydOyrfimfqti0Rih=BoBpqBJDfqf4QQ@mail.gmail.com> <CAL02cgT0KWJ21m70q5cL7NKBB+-Cjvb63YpgnBGoisScNqQchQ@mail.gmail.com> <CABP-pSR2UxWkKk6a_T9vN4cv89zCchNbN4YN=dS_qm5Ye4AjJA@mail.gmail.com> <FCAAD638-E0F8-4A91-90F1-1A2F1233D88F@nps.edu> <CAL02cgQBge9V3YEtnxRPOxLuMWQzg_Y1XD_cmEX=q94ou6fe7w@mail.gmail.com> <CABP-pSSQJ2dT2-mmvAYFYhvtVsRL9KWy71Zcfoxx8pMse2L=Kw@mail.gmail.com> <CAL02cgRxXjoCQX3V7TTL9aW04ywFmwQvk3vRcMadQfpATfXwHg@mail.gmail.com> <56633046-DB4C-4EE8-A83B-E88A4F430171@cloudflare.com> <CAJoqpT+Jg2JQo0iLGB_i0tyMvEbvYad5MtX-s+Ev5o=W+VDacQ@mail.gmail.com>
In-Reply-To: <CAJoqpT+Jg2JQo0iLGB_i0tyMvEbvYad5MtX-s+Ev5o=W+VDacQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.17.200615
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=nps.edu;
x-originating-ip: [2601:647:cb00:2941:86c:e96:626e:6ae8]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cf2ddecd-e775-4326-e644-08d832b5679a
x-ms-traffictypediagnostic: BY5PR13MB3288:
x-microsoft-antispam-prvs: <BY5PR13MB3288C7285B61FE5F7D4D46B2FB730@BY5PR13MB3288.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ucFrzwa0GW8QwWpRuDTQn4fWLcyIosydqjuus9//CmzlKaCEZ5xnJN8QG15VTSzw4IaLailIaDQcpKTil88w3FsNGVj8Z2yEo8mjmg8Hz8fYnH5OCvIu1uPh1XpJh61HT9tOFe3pB5+cEMCyp6W1sWOwfGiXJLDQ1orQCfNgJOsVPSUgA6S9TG7uPabDkYCy4whf8bVtWXyLtn9QVSu7vp3MLQPaVJpDhJ6bHIT1zoD7cMYyeD1K/6260OU+Bn8Yagoob3pLWVzQu05vvzNlKcyD0qQzxC39DSYH0VZRW1oCY9YoZy+JAJ84LqU/U52HelJHV+fWS9bj9w/5PgSbaLaxnAIqKuriXhup50wMHKwcWCLK1oUSYoU7prqJZPxgXEUxxIL489rNRD6zqXj4gA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR13MB3348.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(376002)(39850400004)(396003)(136003)(346002)(53546011)(6506007)(966005)(76116006)(66446008)(64756008)(66556008)(786003)(316002)(36756003)(30864003)(4326008)(478600001)(6486002)(6512007)(8936002)(83380400001)(86362001)(110136005)(33656002)(2906002)(75432002)(66476007)(8676002)(71200400001)(2616005)(54906003)(5660300002)(66946007)(166002)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: ss4vEvXH7WPoUYH47XghlaKe6SEouzVoVjo5DjSSz6KtcnS4SJsZTSb3LmLcTTA8v7LjVWKn5CXFFh8B2ENGHh9/lNbZoJm4tCUgl6Eo/wx+fSpY/JjpDtAezjAeyrYJMdz+VEQAMiJkipejcQdwsc6GE/Au3V+xX4EsEXSThBJesj+ukXLGcrAVIRuaWn5W2/fWC8JkWc3hL4VERia6ffuTMwo/m5YxIKIsmOVTTgsFvnDAQe6D5qJKT+k4SzlN8pJthSLGWQg8bEqwF+DSw1E+VuaU/CNgS5xELFI6oNwvxcXpFcr4AEKtY2vmApKvNduvSV/dEsfoNZ/vyBGM0Kv0zBcQk32zvKVQUVsTM/vfIHPXuHEezYjmH3hMb0u/hCZN4oYPcICd41p64am8ePe9BQlsbcbu4obaKTM6phDmMl+C/+xLs1Fwh3Ub5xJ50AyES6iMOY0JFViiEYfb7ynIW+FDC1wZdhCCNdawWiQMIfGZRwt2dzu9v1yn5FPqaAET0b5wls/tK6UXzz0MPRruUYChHrErODTHFVJUeemJ29JkSiDDsy5DFg2zswb7jT3nl2mck43pjjYmZ4QMK9c0wUG2CPXHULAcLfLdz7PrEdelWTKBwPJGTC1USHcSumuYxzw6nIsIIMKBu/+ae6VjojyB3eBY7Sbds0RcDdhOeS+LuXVhztseqWoJ0amWC6GtRC1ej3OQ0TwFO803xA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_B72B8E66D973460A952027D8AC30E4FAnpsedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR13MB3348.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cf2ddecd-e775-4326-e644-08d832b5679a
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2020 05:16:38.0350 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6d936231-a517-40ea-9199-f7578963378e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3eQWENBVLTDO0WdbMXfDUI381JhxgDK8K0WNAUMOrKJBI2RI7CCzWHZydSg6RPGS9k8ck4zlJ9Po7S/0IP0tHA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR13MB3288
X-OriginatorOrg: nps.edu
X-Barracuda-Connect: skywalker.ern.nps.edu[172.20.4.117]
X-Barracuda-Start-Time: 1595913400
X-Barracuda-URL: https://205.155.65.106:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at nps.edu
X-Barracuda-Scan-Msg-Size: 40369
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.83514 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/g5SkRJGJm75rFaI67Vw4vjfKgfI>
Subject: Re: [MLS] Hiding content type
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 05:16:48 -0000

Privacy-by-default is a goal that I think most on the mailinglist can agree with (at least there have not been objections about that so far). It is *how* it is achieved that is the issue.

A the moment, one method has been presented and strongly argued for, but there does not seem to be a good backing case for that approach. Alternatively, there could be other ways of achieving privacy and content hiding and alleviating some of the various types of concerns that have been raised from different corners.

-  For example, it was proposed on the mailing list on 14 July that we could consider a longer field to avoid collisions.
-  Also, there does not seem to be a firm reason for deriving the epoch ID as proposed. If the hash was instead over only the (current version) group/epoch ID, then there would be no variable input and the epoch ID would be predictable by all members of the group (but not those outside). That would allay some of the forking concerns. A compromise might be found on what inputs to use, so that the epoch ID remains predictable only to group members following an add/removal.
-  Finally, (if we really want to expand on possibilities) if the epoch ID was taken as an encryption of the current group/epoch ID instead of a hash, then it could be uniquely reconcilable when required. The group/epoch ID length is already accounted for in the current spec, so compression with a hash is not really a bonus factor.

Just to be clear, I do not think that the third point above is really a good option. However, it does highlight that there are other options to meet the end goal of content hiding. The other two points ought to be considered.

The “positive use case” described thus far is an argument for the end goal of content hiding, but is not an argument for content hiding in the particular way that has been proposed. Having a positive use case to support the precise proposed change would be helpful.

Ultimately, I would like to see arguments for/against the various other ways of achieving content hiding, such as those listed above (or others). This applies to both the concerns about resistance to collisions as well as the general aim of privacy. It is by no means an absolute fact that we can support only one or the other, so there may be a solution that addresses all concerns discussed so far. It is definitely worthwhile to try for that.


Britta


From: Chelsea Komlo <chelsea.komlo@gmail.com>
Date: Monday, July 27, 2020 at 9:01 PM
To: "mls@ietf.org" <mls@ietf.org>
Cc: "Hale, Britta (CIV)" <britta.hale@nps.edu>du>, "rlb@ipv.sx" <rlb@ipv.sx>sx>, "brendan=40cloudflare.com@dmarc.ietf.org" <brendan=40cloudflare.com@dmarc.ietf.org>
Subject: Re: [MLS] Hiding content type

I would like to affirm the positive use case Richard described, and say that minimizing metadata where possible is valuable and leaves open the possibility of using MLS in less-trusted settings. There are messaging applications currently being developed in practice [1] that provide metadata resistance (and hopefully more will follow this trend in the future). It would be good to keep the door open to the use of MLS in these settings.

As I am just now reading over the latest draft, I don't have much to add at this moment as to how to derive these fields implicitly, but I am happy to take a closer look and provide recommendations if the group doesn't come to consensus in the meeting this week.

[1] https://openprivacy.ca/work/cwtch/

On Sat, Jul 25, 2020 at 4:10 PM Brendan McMillion <brendan=40cloudflare.com@dmarc.ietf.org<mailto:40cloudflare.com@dmarc.ietf.org>> wrote:
I’m concerned about adversarial collisions, that'd cause a partial DoS like you say. There are other ways to cause partial DoS in an MLS group, but I think it’s good to minimize the avenues for attack.

In your example, it sounds like you’re trying to achieve unlinkability between messages, with a Generic Commit Sequencing Service which is basically a KV store that only accepts one write per key. So in this scenario, I think you would be much better off by simply truncating the group ID and epoch from MLSCiphertext (making them implicit), and choosing the key that each message is stored under with some function of: 1.) a group secret, and 2.) a message counter.

Would that work?


On Jul 25, 2020, at 12:38 PM, Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:

Just so we're clear, in your example, are you concerned about accidental or adversarial collisions?  I hope we agree that we can fix the accidental case just by making a longer epoch ID.  In the adversarial case, this seems like a partial DoS at worst, since the members who incorrectly think they are in the previous epoch will no longer be decrypting with the right keys.

As far as a positive example: Imagine a Generic Commit Sequencing Service that provides a reliable broadcast/ledger over anonymous channels (e.g., as an onion service), but will only broadcast/record one message for each groupID/epoch.  If the groupID/epoch is opaque, then such a service can be provided without learning anything about the groups it serves or their evolution.


On Sat, Jul 25, 2020 at 1:50 PM Brendan McMillion <brendan@cloudflare.com<mailto:brendan@cloudflare.com>> wrote:
Take for example, a broadcast channel that's ordered but lossy. A Commit gets sent where the new epoch id collides with the previous epoch id, but not all members get the Commit. So now the group is fractured and there's no way for members in the previous epoch to know that they missed a message. What the application developer needs to do to detect lost messages, is immediately re-implement the counter epoch id that you've just removed.

That's an example of a system where this change is pointless / harmful. If you could provide an example of a system where the change is *helpful*, that would be more interesting.

On Fri, Jul 24, 2020 at 11:05 AM Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:
I'm honestly really confused by the worry about collisions here.  The current epoch ID collides trivially -- it's just a counter!  And the group ID is assumed to be public anyway.  So if your authentication scheme is broken when you have a (group ID, epoch ID) collision, then your scheme is already broken.

If we're going to block this change on this basis, then we need to see clearly articulated an authentication scheme that is secure in the current model, but broken in the case where epoch IDs are derived off of the key schedule.
--Richard

On Tue, Jul 14, 2020 at 10:38 AM Hale, Britta (CIV) <britta.hale@nps.edu<mailto:britta.hale@nps.edu>> wrote:
Ensuring the most conservative design by default seems advisable; however it is not clear that this proposal for hiding content type is actually doing that. Indeed, if an application is concerned about hiding the content type, would not that same type of application also be concerned about collisions?

As Brendan notes, we are not talking about accidental collisions here. Pre-computation is entirely possible, such as by a malicious group member, so the window of attack is not limited to one epoch.

If this is this PR particular is of particular interest to some, then it would be good to see a clarifying explanation as to the security it achieves (i.e. why this is “security by design” despite introducing such collision possibilities), or a concrete use-case. Alternatively, are we really limited to a 64-bit field, or can that length be adjusted to mitigate the introduced problems?



A clarifying point for those following this thread: some references in the email chain state that this is encryption of the epoch ID. That is not the case. The proposal being discussed is about a hash thereof (hence discussion on collisions).

Britta


From: MLS <mls-bounces@ietf.org<mailto:mls-bounces@ietf.org>> on behalf of Brendan McMillion <brendan=40cloudflare.com@dmarc.ietf.org<mailto:40cloudflare.com@dmarc.ietf.org>>
Date: Monday, July 13, 2020 at 9:37 AM
To: Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>>
Cc: Messaging Layer Security WG <mls@ietf.org<mailto:mls@ietf.org>>
Subject: Re: [MLS] Hiding content type

As far as collision resistance, I'm not too worried about collisions among 64-bit random values, especially as the scope for collision is fairly small, arguably just one epoch.

The issue isn't with accidental collisions, it's with malicious ones. An attacker can purposefully (and quickly) generate commits that create duplicate epoch ids, and send them to a client to corrupt their group state.

I think the idea here is to be conservative by default.  There are systems in which you can hide the metadata you're talking about with things like mixnets and dropboxes.

It's not just being more conservative, you're making changes specifically for very niche use-cases where I don't think the security of the whole system has been thought through. Maybe you have an example in mind, but I can't think of a system where this change provides any additional privacy.

On Mon, Jul 13, 2020 at 10:56 AM Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:
On Mon, Jul 13, 2020 at 10:57 AM Brendan McMillion <brendan@cloudflare.com<mailto:brendan@cloudflare.com>> wrote:
With respect to using an opaque epoch id, I believe this was proposed in #245<https://github.com/mlswg/mls-protocol/pull/245> and consensus was against it because it makes it more difficult to implement the DS. It's also not clear to me what security properties you want from an opaque epoch id, because the current PR doesn't provide collision resistance and I'd expect this to be a source of confusion and bugs.

I think the discussion on #245 got derailed a bit by the focus on non-linear epochs.  The point here is that even in a case where you have linear history, I think there's intrinsic value in the epoch ID being opaque because it gives intermediaries less opportunity for ossification.

As far as collision resistance, I'm not too worried about collisions among 64-bit random values, especially as the scope for collision is fairly small, arguably just one epoch.


With respect to encrypting the content type, it also seems to me that this would cause issues because different content types have different delivery guarantees. Specifically: messages are allowed to be unordered and lossy, proposals are allowed to be unordered but not lossy, and commits are both ordered and not lossy. In the deployment scenarios we've talked about, the DS essentially always needs to know the content type to provide this. Conversely, you don't get much additional privacy from encrypting the content type because an eavesdropper can see the epoch id change and infer which message was a commit, or see a dropped message getting re-sent and infer it was a proposal.

I don't disagree that there are different guarantees you need, but like I said, I think the idea here is to be conservative by default.  There are systems in which you can hide the metadata you're talking about with things like mixnets and dropboxes.  Keeping the ciphertext as opaque as possible keeps the door open to running MLS over those systems without MLS's own metadata undermining their privacy properties.

FWIW, in the systems I'm looking at building, this PR does not make any difference, because clients use separate channels for Proposals/Commits vs. application data and the server doesn't check.

--Richard



On Mon, Jul 13, 2020 at 8:56 AM Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:
Hi all,

Recall that PR#349 does two things (1) use an opaque epoch ID, and (2) encrypt the content type of the message (application / proposal / commit) [1].

There was some discussion on the call last week that encrypting the content type might not be that useful, since an application that relies on a server to assure ordering of commits will need to at least be able to tell commits from other things.  Of course, even if the content type is encrypted by default, the application can add it back in authenticated data, or in some unauthenticated wrapper.

Net of those considerations, I'm personally still inclined to merge the PR, to have a conservative baseline.  But those on the call thought it would be useful to pose this to the group, so please speak up if you have concerns.

--Richard

[1] https://github.com/mlswg/mls-protocol/pull/349
_______________________________________________
MLS mailing list
MLS@ietf.org<mailto:MLS@ietf.org>
https://www.ietf.org/mailman/listinfo/mls

_______________________________________________
MLS mailing list
MLS@ietf.org<mailto:MLS@ietf.org>
https://www.ietf.org/mailman/listinfo/mls