[MLS] Possible erratum: Re-adding a member
Richard Barnes <rlb@ipv.sx> Fri, 08 September 2023 15:23 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F13AC151088 for <mls@ietfa.amsl.com>; Fri, 8 Sep 2023 08:23:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tCeUFUEgVMaP for <mls@ietfa.amsl.com>; Fri, 8 Sep 2023 08:23:35 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6202BC14F693 for <mls@ietf.org>; Fri, 8 Sep 2023 08:23:35 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id 38308e7fff4ca-2bcfd3220d3so36494531fa.2 for <mls@ietf.org>; Fri, 08 Sep 2023 08:23:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1694186613; x=1694791413; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=f0aglFVjdAePruK4YYXuoKG/RoezLv3AhXVAwIFV2Cw=; b=etsCtrS4nzKIrJtwTPmiLGIOu4MI6o34c16EyorfkC3y8NO9S4k2708evGJuUu/8Ty MEkvY+XfIfKMYjQkSTdyiLBXp1pY/42qPqvg8ZoptJ6lUJ1hAtoGa9mma7bC7x3nJ6yL WzM3ex+lwSb2hcq5bjJTuJiIPmo7MImLlKOMTES9gTxsV5I+8L5qW/AQzSD9UXUDw77Z j1iGDfP6C4EECSD8i7GxDr3bO5rj16SHzwpPolMt9ft224iEp6l74Ev5whmtPN/7JWhc dlvV4JwgpvvpvPzSPW2FhIuF2mebxeN07vd6I/hVHPnIIZmp5EQ9/qgWgym9TwQDrw45 mwMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694186613; x=1694791413; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=f0aglFVjdAePruK4YYXuoKG/RoezLv3AhXVAwIFV2Cw=; b=Pzm6kcollgtryFgVRWtgFbsJIFQxYwXSLnKmjjbz/3SyJ9KbLGvCwOHYJ0dXiZP5g/ XFLn+0WUsDEE1fbLG3xZDOncCeAjHJpD3zkGWbfM9VNTiKF01o/L2e3tQq1dhjI80fui I6v+NMCCGRLSa9Xyjjr1IsCiA9epRrnu2SM8kY3LfpMKIqIwEpDzAKqC3dyUJgLlrV+T fZVfXNc/GxAvmHHq8UIGX9mmft23CruQNCBilZ0rHeCMgEPobw0APxSPhTlK/Pfjjt/S xfdyoywvj6CNzojZ38ksi1FpiL3SDFAXffd6Ew0P8lIl0MpOxR42mPf08AleiomqIYqF XIIg==
X-Gm-Message-State: AOJu0YyUUtOyPAd3jx8aRMCpE950LEDY13hCPq7Gw68uZ50ZmUcMpyCt AGsjx4wuKI10urNpFyOugMmM6LKW5tWfTrK4zeKlUpysYsUuRrIWlUviQg==
X-Google-Smtp-Source: AGHT+IEaymBmkgnTujXgFKWEexyb5Jm4q3BhGnbUc3Q5iz8m0wLMFDRhG0mYvrjyyGfBIVdRJ+iYpqMsGkRTjU4L5Zw=
X-Received: by 2002:a2e:99cf:0:b0:2bc:fa8f:83bf with SMTP id l15-20020a2e99cf000000b002bcfa8f83bfmr2045023ljj.36.1694186612625; Fri, 08 Sep 2023 08:23:32 -0700 (PDT)
MIME-Version: 1.0
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 08 Sep 2023 11:23:21 -0400
Message-ID: <CAL02cgQ7pzxOFZMvmkBKOcCmaKzRqbxxzfZgZoRpP9oks92S9A@mail.gmail.com>
To: Messaging Layer Security WG <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003ab40e0604da8fa3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/lGpowMKTVpahT7vl2aRerdR2mUk>
Subject: [MLS] Possible erratum: Re-adding a member
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2023 15:23:39 -0000
Hi all, I came across a situation where I think the spec might be ambiguous, if not incorrect. Consider a situation where a member is removed and re-added in the same Commit, using the same signature key for both the old and the new member, but fresh keys otherwise. Is this a legal commit? (Note that in addition to normal commits of this form, the "resync" external commits that the spec mentions also have this form.) On the one hand: The spec says that a proposal list is invalid if... - [12.2] It contains an individual proposal that is invalid as specified in Section 12.1 <https://www.rfc-editor.org/rfc/rfc9420.html#proposals>. - [12.1.1] An Add proposal is invalid if the KeyPackage is invalid according to Section 10.1 <https://www.rfc-editor.org/rfc/rfc9420.html#keypackage-validation> - [10.1] Verify that the leaf_node of the KeyPackage is valid for a KeyPackage according to Section 7.3 <https://www.rfc-editor.org/rfc/rfc9420.html#leaf-node-validation>. - [7.3] Verify that the following fields are unique among the members of the group: signature_key On the other hand: The spec also says (emphasis mine): - [12.2] It contains an Add proposal with a KeyPackage that represents a client already in the group according to the application, *unless there is a Remove proposal in the list removing the matching client from the group*. So if you read "members of the group" in the former text as "members of the group before any of the proposals are applied", then my proposed Commit is illegal. If you read it as "members of the group after any Remove proposals are applied" (as in the latter text), then the proposed Commit is fine. Personally, I think the right answer here is for such a Commit to be valid. Basically because I don't think a "resync" operation (either externally-driven or within the group) should force a signature key rotation, because signature key rotation is expensive when signature keys are tied to things like transparency or certificates. If we can get agreement on the outcome here, it seems like we should probably file an erratum clarifying the situation. Thanks, --Richard
- [MLS] Possible erratum: Re-adding a member Richard Barnes
- Re: [MLS] Possible erratum: Re-adding a member Richard Barnes
- Re: [MLS] Possible erratum: Re-adding a member Mularczyk, Marta
- Re: [MLS] Possible erratum: Re-adding a member Rohan Mahy
- Re: [MLS] Possible erratum: Re-adding a member Richard Barnes
- Re: [MLS] Possible erratum: Re-adding a member Raphael Robert