Re: [MLS] confirming cipher suites decisions

"Hale, Britta (CIV)" <> Wed, 12 February 2020 17:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0BF89120823 for <>; Wed, 12 Feb 2020 09:10:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dObEs6wkSXs5 for <>; Wed, 12 Feb 2020 09:10:06 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 3562812080F for <>; Wed, 12 Feb 2020 09:10:06 -0800 (PST)
X-ASG-Debug-ID: 1581527405-0e394549644a650001-bGA3T6
Received: from ( []) by with ESMTP id 5AFTfNwsDsNZ8AXT; Wed, 12 Feb 2020 09:10:05 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1531.3; Wed, 12 Feb 2020 09:10:05 -0800
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1531.3 via Frontend Transport; Wed, 12 Feb 2020 09:10:05 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=XjVOfoQq1Na1xf8OqP907JtEZ8tSXFah4E1SKlmbY1oatTuVD8KDVXlE1E8i+81oL8PBP4EFznEVMmjr5jB6PzlWZ0iLNj9iz6C59l2nbYeJ8Rtw5L/h+x+qwwtnH4FBPQprA5opA5HeKad/YJo5OBcqwfDVl86d38LDVItdKYxZN9INoPcYkCLQNulNpuXozuRJHuzZTDtQi/zofFeZfuWR4OOPrP4YYH1W9XlsNdd8CEisat/ZLQENANtpsUHIkzB28z/TF/rkI/wQZCsebej+U/xhobi9gvT1FtC2wE9CMOw4ulV40fr6uopemhHszEULNHRorKrJB/JWcF0GWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8FyAN3FQtAs8rZDQ/VkIi8y1fZYQ6bKrJVnyAkWzQ8A=; b=nLHVBdoT+hejwvtWspDsS5INUYJArP+7f5QTUD/bohFpKPsQiVWcJXVp09KcuD1s5SGpBMcIBMOzTfDg+8+CC3McppSdWrYM5jKaToW+xtFDoIfJD1CTH175YanZ8YBdx5oCnAG4yK2XaNKqzo1cMln0O2n1X3lPsosIIAWNJOjTt0p5ReoNBeXu74PM+j+O289UnpkiSiuHvhNJ5ydWHFPfSyVsFQ8iGrqNcfVoK1OzQ41DX+WYjEmcNBF/WzZTY64uV49P6kpb5SuA9MexprinQmjdjtUZLoN5+/NAi5wczE9/lEg6l+FzVlfltdAKSBuqQj/JzvKQrfifMPQ7Mw==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.14; Wed, 12 Feb 2020 17:10:03 +0000
Received: from ([fe80::f1dc:b7b6:2d4a:f8c3]) by ([fe80::f1dc:b7b6:2d4a:f8c3%7]) with mapi id 15.20.2729.021; Wed, 12 Feb 2020 17:10:03 +0000
X-Barracuda-Effective-Source-IP: UNKNOWN[]
From: "Hale, Britta (CIV)" <>
To: Richard Barnes <>
CC: Sean Turner <>, Messaging Layer Security WG <>
Thread-Topic: [MLS] confirming cipher suites decisions
X-ASG-Orig-Subj: Re: [MLS] confirming cipher suites decisions
Date: Wed, 12 Feb 2020 17:10:03 +0000
Message-ID: <>
References: <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4dcde2d9-0581-4428-eea3-08d7afde66bb
x-ms-traffictypediagnostic: BYAPR13MB2774:
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-forefront-prvs: 0311124FA9
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(396003)(39850400004)(376002)(366004)(136003)(199004)(189003)(8936002)(8676002)(66476007)(66556008)(64756008)(66446008)(7696005)(66946007)(86362001)(71200400001)(81156014)(81166006)(76116006)(91956017)(2906002)(6916009)(4326008)(55016002)(5660300002)(52536014)(33656002)(75432002)(54906003)(53546011)(6506007)(316002)(786003)(9686003)(966005)(26005)(186003)(45080400002)(478600001)(15940465004); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR13MB2774;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mimPzrWcXxHUOr3x7JY3+A2r5XouFtjxbhYQ/kdyoEsNh4DJPhwjuGd2veilw3cM05ItOOonIXQLgQSRvHCeoyOCMQJJdo07YGNH+zw5Fx9sWS7jrIoobS0KDcMcowbIcsU52BYnmvZkjsJ5A4cxNmlTFqaHz363o39USSfmOG6NCA6ZqEuP8GeJQat9wZ6RCZOSYsMGwgyTim84YSd7ROQ4Ea2e03ghfedWWE8GLKYTJd3wNRi+yu/tfH+yDMs9EHyU2m1CtpqHBsIkGbLy7SeeGe3KFozr8dTnMidJ19MOnIXJ02P7Gs1B/xDeFYBJPJaM25px8cz/YzvOfu/jn2RSfpeDpPuyVPX3FQxs9ZQP8npvO6GqS3fOjL2Ar1XnaRSmNExOF3/UUJc8bU0nR4HzutlMDCScgxZiuGvRPNkBOy9tJGrRTy8iQ/i8MBfWESEamwyHdpwCKWaCRXdxAkh5jIT+c/DogxEH0hiAFqZOFSNtiasLlW57fU1z/f0C5asdGXzapi/qkgNii1JdnZGjdEEfb0soToxTKf9lAg4ODgR9uIr/BXhVX//I8JaJ
x-ms-exchange-antispam-messagedata: 94ePiEYLbA76SiQj+l8qGrJbL05S7vHsG/391acCieidnwg37MriBg09IqOo6CXSqNyWBBaTdatm2SKSO/Zv1OFjXZLQXmZYKUhsIzAXIsZtxH+YkFcgNv61qSraQ8emYSJp3ivTFewjqHL7QCdnoA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BYAPR13MB253357288B93591626BF4026FB1B0BYAPR13MB2533namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4dcde2d9-0581-4428-eea3-08d7afde66bb
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Feb 2020 17:10:03.6937 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6d936231-a517-40ea-9199-f7578963378e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ndtHM5epIzg234XQBCMnlve9Cqrklabw2Y8MaZYJYmqwtYJmTaLik5xd1T9mDdeHrG5jun2JyqD2EbJeV7Grjg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR13MB2774
X-Barracuda-Start-Time: 1581527405
X-Virus-Scanned: by bsmtpd at
X-Barracuda-Scan-Msg-Size: 11884
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message
Archived-At: <>
Subject: Re: [MLS] confirming cipher suites decisions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 12 Feb 2020 17:10:09 -0000

It is not clear whose current state of thinking you are referring to, Richard, but perhaps we should give a week to Sean's original 20th of February timeline so that the working group members have the opportunity to discuss and speak for themselves.

Get Outlook for Android<>

From: Richard Barnes <>
Sent: Wednesday, February 12, 2020 9:04:15 AM
To: Hale, Britta (CIV) <>
Cc: Sean Turner <>; Messaging Layer Security WG <>
Subject: Re: [MLS] confirming cipher suites decisions

I agree that these considerations are good to get documented, but at least given the current state of thinking, it seems fine to proceed with the strategy in the current PR.

On Wed, Feb 12, 2020 at 11:00 AM Hale, Britta (CIV) <<>> wrote:

Concerning the use of a single group signature scheme or individual signature schemes, it is probably worthwhile to expand on the consideration points and clarify what security implications we are accepting - in either case. I have listed out some issues in the following Google doc:

I am not making an argument for either case at this point, but pushing this out for discussion and to help us achieve more clarity as to the benefits and consequences of either choice. There are certainly more issues to consider (e.g. ease of implementation, efficiency, etc. in addition to security considerations) and other views - feel free to add them or discuss on the mailing list.

All the best,


On 2/6/20, 8:11 AM, "MLS on behalf of Sean Turner" <<> on behalf of<>> wrote:


    tl;dr: confirming MTI suite selections and rationale for avoiding proliferation

    During the F2F Interim in January, the WG discussed cipher suites-related issues. Namely, whether a per-group signature scheme should be driven by the chosen cipher suite, what were the MTI (Mandatory To Implement) cipher suites, and what the actual algorithm should be.

    There was rough agreement that there should be one signature scheme per group and that should be driven by the cipher suite. There are, at least, three things to consider: 1) if a potential group member does not support the algorithm, then they will not become a member or the group will need to downgrade; 2) when the group needs/wants to update, it is a flag day; and, 3) the cipher suites will have a similar combinatorial issues as the TLS cipher suites prior to TLS 1.3. The agreement was “rough” because 1) likely has some important implications.

    The MLS cipher suites defined were as follows:
    - MLS10_128_HPKEX25519_AES128GCM_SHA256_Ed25519
    - MLS10_128_HPKEP256_AES128GCM_SHA256_P256
    - MLS10_128_HPKEX25519_CHACHA20POLY1305_SHA256_Ed25519
    - MLS10_256_HPKEX448_AES256GCM_SHA384_Ed448
    - MLS10_256_HPKEP521_AES256GCM_SHA384_P521
    - MLS10_256_HPKEX448_CHACHA20POLY1305_SHA384_Ed448

    At the interim, the consensus was to make the non-NIST suites the MTI.  The rationale was that those implementation that need to be NIST compliant will do so regardless of the choice made by the WG.

    In looking at the actual cipher suites, it was noted that the 256-bit schemes the SHA should be SHA-512. The rationale agreed was that SHA-384 is SHA-512 cut in half, so just do SHA-512 because it is one less operation.

    To avoid the proliferation of cipher suites, guidance will be provided to be conservative about allocating new code points. The consensus at the interim was that the suites provided were minimal and provided good coverage for the known use cases:
    - (X25519, AES-GCM, Ed25519) - Good for desktop
    - (P-256, AES-GCM, P-256) - Compliance
    - (X25519, ChachaPoly, Ed25519) - Good for mobile

    The chairs need to confirm the interim’s consensus on list, so please let the WG know by 2359 UTC 20 February whether you disagree with these choices and why.

    NOTE: The final text will obviously be reviewed, but is being composed as part of the following PR:

    NOTE: We combined these cipher suite related consensus points, but if we only come to consensus on some of these we can still incorporate what we do agree on.


    Nick and Sean
    MLS mailing list<>

MLS mailing list<>