IETF Logo Mail Archive

Re: [MLS] Stupidest possible message protection

Raphael Robert <raphael@wire.com> Mon, 03 December 2018 21:42 UTC

Return-Path: <raphael@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 602E012D4ED for <mls@ietfa.amsl.com>; Mon, 3 Dec 2018 13:42:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id APIFT4Etxrc8 for <mls@ietfa.amsl.com>; Mon, 3 Dec 2018 13:42:09 -0800 (PST)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F2D8129BBF for <mls@ietf.org>; Mon, 3 Dec 2018 13:42:08 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id a18so7280824wmj.1 for <mls@ietf.org>; Mon, 03 Dec 2018 13:42:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20150623.gappssmtp.com; s=20150623; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=R53O7RSGC2qkmZ24QY1MjF/9aQKzXy55AkPeHsuaZ24=; b=ZQx/fd4LWMRKA1Hpsbt7qwu1eAZHfF5vZMrcKc22iu2I671o9wxi5dzIHkAuQ+/w0E CJM/vqCr6wYW8cLSg94cWHpmL3+RKQQV2HHlswj0PU3QhcOoXLsWpPz9q7n38HH9aHUD owP3Y9Fz6m6/xulACzzZEjzC0mu3Xn1fQa40hL4cOrmrNbHO55OfM4m0SEN8tKVohAID Fdq18ZCtHzFAI8Om61kKmF8KhoBLGtywPG4+bL5X9OsRvMbBXErlGJAIpwJGyP8sQC1b HIYq9RsEs03dHwl51lFKTb3iORIqsyYVtfqzNn8hWcKbpvOzQ4dVwVDU71fjtwpwPrtL MBEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=R53O7RSGC2qkmZ24QY1MjF/9aQKzXy55AkPeHsuaZ24=; b=Oe+HYNgirnFYwLbvqCnWFIAl+oG56XKu0Ijzoz76C/dKzZMN5JIWsYUO0pryMhW1fP gUL5BPbYEvDvWQU6WERWuhmVSfj1r794sxCnex3dQDq/2Yw9uXoseZZid/aM7ye4uS3s G39sy+hiYpOgRMsTbqeBabKTroh21o35ODhP2LYP13GkynNspNK2cUdIsegvMXN4n1Oj OXSbwYsAKGUozahCsWN2hG1Pb+c2txtb1C2Vy592cXKN6otnfy59umaqTuhdCW0uib1S /vduS6OcXaNGgqCrc5I5UI0JvptHA9z8dFVJ7LEGueKz3G49eq9IVMxAn51Jc/qzxW9i UEqg==
X-Gm-Message-State: AA+aEWY7XFiU2XJGsC4Rtdau6NkWvhSrWavqS/OWGalRiX2W0pCBXA8i 4sgelsAIwAQiwQxAlmmpAmG6ZrT+6ASRLA==
X-Google-Smtp-Source: AFSGD/XXU+UBiWCu1v7SzW2P2PjU6OJ/zKrm+rIO9K0SD83FT6GBN/QhbkWYD8mdKooxfBUPVZXghA==
X-Received: by 2002:a1c:85d2:: with SMTP id h201mr9335786wmd.151.1543873326418; Mon, 03 Dec 2018 13:42:06 -0800 (PST)
Received: from rmbp.fritz.box (HSI-KBW-095-208-247-123.hsi5.kabel-badenwuerttemberg.de. [95.208.247.123]) by smtp.gmail.com with ESMTPSA id y13sm9714546wrw.85.2018.12.03.13.42.05 for <mls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 03 Dec 2018 13:42:05 -0800 (PST)
From: Raphael Robert <raphael@wire.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_24D1C12D-99EF-4DDA-A2FD-2907F26588FD"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Mon, 03 Dec 2018 22:42:04 +0100
References: <CAL02cgTjD==YgS848sBWEGrBBkNMAtbUXJuV6RrDmak_+Mu6fw@mail.gmail.com> <6369845D-4139-4043-90F8-08AFAD4EE47B@gmail.com> <CAL02cgQFUNYVQHFni9JkwRn7Zo9kL52KyazAuL+YQVFBQT1RHg@mail.gmail.com> <D43F3ED4-E2FF-46C1-B10A-0C6169137738@wire.com> <B2437354-B775-4EEE-999D-E7BC5CA5EBEA@vigilsec.com> <1543872420.903300.1597612856.02D2AD0D@webmail.messagingengine.com> <97BD7610-40BF-4D45-935D-A24D258D31E1@wire.com> <CAL02cgSRorPdgr2HdEHUFH5vsRoKqJPtirO=9h8cdiAX6X+haA@mail.gmail.com>
To: mls@ietf.org
In-Reply-To: <CAL02cgSRorPdgr2HdEHUFH5vsRoKqJPtirO=9h8cdiAX6X+haA@mail.gmail.com>
Message-Id: <1AC0D0D2-128B-4073-9181-F7BDDFAAF4BC@wire.com>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/hNFvD1WRBWiTf0e6I9MGer0TyQM>
Subject: Re: [MLS] Stupidest possible message protection
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2018 21:42:11 -0000

As I said earlier:

> I think that for the sake of simplicity clients should choose whether to encrypt HS messages or not right at group creation (and prevent downgrade attacks by committing to extra state in the group state, just as mentioned). We can always explore later how we would handle “HS message protection agility”, if this turns out to be necessary.

In other words, HS encryption should be fixed for now. Possibly even forever, unless we come to the conclusion it’s a bad idea.

> On 3 Dec 2018, at 22:38, Richard Barnes <rlb@ipv.sx> wrote:
> 
> Do you also mean that all the clients in a group decide independently?  (Even with a single vendor, you could have version migrations). Or does the group need to agree?
> 
> On Mon, Dec 3, 2018, 16:37 Raphael Robert <raphael=40wire.com@dmarc.ietf.org <mailto:40wire.com@dmarc.ietf.org> wrote:
> 
> 
>> On 3 Dec 2018, at 22:27, Katriel Cohn-Gordon <me@katriel.co.uk <mailto:me@katriel.co.uk>> wrote:
>> 
>> I think "clients choose" != "users choose" --- rather, whoever builds this into their application makes the choice for their users in the client code.
> 
> That’s what I meant. It will be up to the application vendor to decide on the UX.
> 
>> 
>> 
>> On Mon, 3 Dec 2018, at 9:10 PM, Russ Housley wrote:
>>> 
>>> 
>>>> On Dec 3, 2018, at 10:46 AM, Raphael Robert <raphael=40wire.com@dmarc.ietf.org <mailto:raphael=40wire.com@dmarc.ietf.org>> wrote:
>>>> 
>>>> I agree with Richard that letting clients choose is a good idea. I think that for the sake of simplicity clients should choose whether to encrypt HS messages or not right at group creation
>>> 
>>> 
>>> It is not clear to me how a user would make that choice.  They do not really have much visibility into the consequences of the choice.  So, it would be good for this group to make to choice or provide a concise description of those consequences in language a user might find helpful.
>>> 
>>> Russ
>>> 
>>> _______________________________________________
>>> MLS mailing list
>>> MLS@ietf.org <mailto:MLS@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>
>> 
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org <mailto:MLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org <mailto:MLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls

v2.35.0 | Report a Bug | By Email | System Status