Re: [MLS] Artart early review of draft-ietf-mls-architecture-09
Valery Smyslov <smyslov.ietf@gmail.com> Wed, 28 September 2022 19:43 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39844C15DD4F; Wed, 28 Sep 2022 12:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mh-znyfbSOG7; Wed, 28 Sep 2022 12:42:59 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE5A2C15DD4C; Wed, 28 Sep 2022 12:42:58 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id b24so15450164ljk.6; Wed, 28 Sep 2022 12:42:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:from:to:cc:subject:date; bh=8WAHflPT6g117FIIPbl+/UYnbZ+/GMeoNDsv+GWGh64=; b=K6XADAf6GaaSiKaPnuRHVqABaiAi+NY5izy3t1V44PPmc5UIr8f474Ni+/ddYjOaZz pOYVYkNtuWVU1zvsdxNBQZIESVjCn2yHgaM3X5kKnHDg00hjGZyh1VRzIiphQw5oGpx9 Rr2rbaKiJuh6PUz6sXlloAr1cRxSlwMjWuigObR1GJGn1oTlGY/uMCYZ4JVne/kTlzXO sMkPO5YyaHP6uyaLWGn7SA4CUBdk16oDqHDZGF34+wxJmrkkx/f8fwOtyKfEZDP1yNx9 dcBRoeCosj8xCIAhq6Y+RHcN8pd2wBYP938Ic79C51oWtSGbVnf6xnjwTNshUP7bT49j I3mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:x-gm-message-state:from:to:cc :subject:date; bh=8WAHflPT6g117FIIPbl+/UYnbZ+/GMeoNDsv+GWGh64=; b=D6XRZr+ns99NQ0Se+4Iyhi0XI3IjWlo2yZE+yQzGsi5po88yMoIukkjSpbx/vXHiVB tLuEJoHL5AJkLcnd2XuV/wCSiUKnK7+9tx4XSXWh2DaoSkg4hivUL5u6lhIi++9I2PE6 y/3PxnHpAhom7p39xocg3gGcgr5+E6zbRO/xKiE0SxKHWam5ohnYlJNutYztXCxQDz+z DJ4ffSYGZI8tjVULanridhWvsaR85RKZykjaYgGKfdgX0g9B2gvxxQDU8DpXUxXHt5cp 6lilyvyREsh82dYRih9A2bFlZm/7qviFrTE6gahii+4oKF7gHoNwTDUwsvaJnwj9OY2T 73ow==
X-Gm-Message-State: ACrzQf1kHj822VOqO+rw0LEStDxs2FqQ3Cykb9LvpXiV2RKbdDPxxCO3 ZXVwFa1FRaL/fs/fsTUejzSp8NdB2fw=
X-Google-Smtp-Source: AMsMyM7UvA/eRdAWwgzLo3SiTIrKCBNfpie71nLPij5vMT5gwDLaQs0CK6nf+V+/0lAK/+upCampmg==
X-Received: by 2002:a2e:9c8e:0:b0:26c:1c6b:858a with SMTP id x14-20020a2e9c8e000000b0026c1c6b858amr12174860lji.254.1664394175753; Wed, 28 Sep 2022 12:42:55 -0700 (PDT)
Received: from chichi (89-179-106-224.broadband.corbina.ru. [89.179.106.224]) by smtp.gmail.com with ESMTPSA id j22-20020a2e8516000000b0026c111ac7bcsm521389lji.86.2022.09.28.12.42.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Sep 2022 12:42:55 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Richard Barnes' <rlb@ipv.sx>, 'Valery Smyslov' <valery@smyslov.net>
Cc: art@ietf.org, draft-ietf-mls-architecture.all@ietf.org, mls@ietf.org
References: <166435475290.31147.15265580440001096239@ietfa.amsl.com> <CAL02cgTfFUe_f3+E-W_AQDJSCNDRGgFJHu-5Q--aRg2QJi08NQ@mail.gmail.com>
In-Reply-To: <CAL02cgTfFUe_f3+E-W_AQDJSCNDRGgFJHu-5Q--aRg2QJi08NQ@mail.gmail.com>
Date: Wed, 28 Sep 2022 22:42:51 +0300
Message-ID: <008601d8d372$7f934500$7eb9cf00$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0087_01D8D38B.A4E3FF70"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFagE8UaMryvlylOn/w640MwROoqgEe9yZZrujniaA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/jvnOTuXu2Q0t06x-xogKeSBG-Y8>
Subject: Re: [MLS] Artart early review of draft-ietf-mls-architecture-09
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2022 19:43:01 -0000
Hi Richard, thank you for the explanations. One clarifying question (with trimming all the rest): Hi Valery, Thanks for the review. A couple of comments inline (with some trimming)... 1. Section 5.10 describes the compatibility with future Versions of MLS. In particular it states: When multiple versions of MLS are available, the negotiation protocol guarantees that the version agreed upon will be the highest version supported in common by the group. and In MLS 1.0, the creator of the group is responsible for selecting the best ciphersuite supported across clients. I think this is problematic for the clients that join group later. Consider the situation when a newer version of the protocol is available and some clients are upgraded, but most are not yet. If the upgraded clients (that support both versions) form a new group, then they select the highest version of the protocol. After that no other clients, that are not yet upgraded (which still form majority), can join this group. The same situation is with ciphersuites (and it is unclear what is "the best ciphersuite", how to compare them). I think there must be an option for the group in situation when all the members support several protocol versions (or several ciphersuites) to change the version (or ciphersite) on the fly (if this is ever possible and doesn't lead to the degradation of security) if incoming clients don't support the currently selected ones. This should also include "external joins", probably the published information about the group should be constructed in such a way that clients having different capabilities may read it. I understand that this would complicate the protocol, but otherwise its usability would suffer. I think the mechanics you're looking for are already in the protocol. The Capabilities element of the LeafNode describes the supported versions and ciphersuites for each member of the group, so you can always tell whether the version/ciphersuite in use is the best one possible. At the beginning of the group, this functions as downgrade protection; as the group ages and clients update to support new things, it can highlight opportunities for upgrade. (Upgrade being done with the ReInit mechanism in the protocol.) All members of the group are aware of these signals and protected from any intermediary tampering with them. The latter point is the important one: The protection against downgrade here is against *intermediaries*, not group members. The notion of "best" is up to the application (just as for say TLS servers), thus so is the selection of ciphersuites among those available and the timing of upgrades. In other words, the protocol has already done all it can do. Do I get you right that the following scenarios are already supported by the protocol? Some set of clients that all support version x and version y (where y > x) form a new group using version y. Let this group policy allows "external joins". My question - can a new client that support only version x join this group later using the external join mechanism? The same question with ciphersuites - if all clients in the group support ciphersuites X and Y and selected X as "the best" at the time the group is formed, then can a client that only support ciphersuite Y join this group later using "external join"? Note, that in both cases there is some kind of downgrade... If these scenarios are supported by the protocol, then my concerns were extraneous. However, it would be great if they are outlined in details in the document. Regards, Valery.
- [MLS] Artart early review of draft-ietf-mls-archi… Valery Smyslov via Datatracker
- Re: [MLS] Artart early review of draft-ietf-mls-a… Richard Barnes
- Re: [MLS] Artart early review of draft-ietf-mls-a… Valery Smyslov
- Re: [MLS] Artart early review of draft-ietf-mls-a… Richard Barnes
- Re: [MLS] Artart early review of draft-ietf-mls-a… Valery Smyslov