IETF Logo Mail Archive

Re: [MLS] Federation and MLS

Benjamin Beurdouche <benjamin.beurdouche@inria.fr> Tue, 26 March 2019 09:03 UTC

Return-Path: <benjamin.beurdouche@inria.fr>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 128F512030A for <mls@ietfa.amsl.com>; Tue, 26 Mar 2019 02:03:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dPlqSQrzsrKJ for <mls@ietfa.amsl.com>; Tue, 26 Mar 2019 02:03:53 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F648120309 for <mls@ietf.org>; Tue, 26 Mar 2019 02:03:51 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.60,271,1549926000"; d="scan'208";a="375763605"
Received: from dhcp-9183.meeting.ietf.org ([31.133.145.131]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Mar 2019 09:58:14 +0100
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
In-Reply-To: <06ed3028-3044-0e10-dd44-caf50496d3b7@mnt.se>
Date: Tue, 26 Mar 2019 09:58:11 +0100
Cc: ML Messaging Layer Security <mls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <09C8A462-46AA-464B-A07E-9B3E321F8A0D@inria.fr>
References: <817649924.1176598.1553527876075.JavaMail.zimbra@inria.fr> <CAHo7dC913xSx-5ZaFkJ7_ZRQJyV31NO3OBSFJ2FNJ42mFdy1hQ@mail.gmail.com> <06ed3028-3044-0e10-dd44-caf50496d3b7@mnt.se>
To: Leif Johansson <leifj@mnt.se>, Harry Halpin <harry.halpin@inria.fr>, Emad Omara <emadomara@google.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/jbq10XoU2Ig6NB8MiH6dNZ1zmA0>
Subject: Re: [MLS] Federation and MLS
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 09:04:04 -0000

Hi all,

> On Mar 26, 2019, at 9:39 AM, Leif Johansson <leifj@mnt.se> wrote:
> 
> 
>>    3) Metadata:
>> 
>>    In general, some sort of metadata will need to be shared, i.e.
>>    icons,  human readable user-names, group names. I would suggest that
>>    as this may be an application message that is simply be considered a
>>    non-cryptographic update. Any attempt to proscibe too much on this
>>    layer leads to endless bike-shedding and so should be avoided :)
>>    However, some minimal optional subset of metadata commonly used for
>>    chat could be useful, but rather than whiteboard it, it would be
>>    better to have each major MLS vendor that plans to support
>>    federation see what their common subset is with everyone else, and
>>    then just make a call that delivers just that as an MLS update. 
>> 
>> I think this will be up to the application  layer, MLS shouldn't care
>> about this.
> Won't this lead to spoofing-oportunities? Users will place trust in
> the the artifacts that are presented to them (names, icons etc) which
> means that in general such artifacts should be as tightly bound to keys
> as any properties tied to the user that are designed to be used by the
> protocol.


If I understand properly, Harry suggest to identify a subset of metadata that
should be sent inside the secure channel as a special messages and Emad
considers it should be up to the application on how to handle them.

I believe that I have an intermediate point of view on this:
I would be in favor of adding such considerations in the architecture document
with a section documenting the fact that some metadata that are privacy
relevant but not cryptographically relevant messages should be protected as
normal application messages in MLS and list which data usually requires such
protection. Once protected as a normal application message, it relies mostly on the
trustworthiness of the application to convey those informations properly to the UI.

Benjamin

v2.23.0 | Report a Bug | By Email