IETF Logo Mail Archive

Re: [MLS] Recommendation for encrypted group operations

Richard Barnes <rlb@ipv.sx> Tue, 30 January 2024 17:48 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AE6FC14E513 for <mls@ietfa.amsl.com>; Tue, 30 Jan 2024 09:48:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VG4Tcawt2Bo8 for <mls@ietfa.amsl.com>; Tue, 30 Jan 2024 09:48:39 -0800 (PST)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F7E8C14F6BF for <mls@ietf.org>; Tue, 30 Jan 2024 09:48:39 -0800 (PST)
Received: by mail-il1-x130.google.com with SMTP id e9e14a558f8ab-3638eb3ead6so2920285ab.0 for <mls@ietf.org>; Tue, 30 Jan 2024 09:48:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1706636918; x=1707241718; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZBevhYX/zCAPOhMdT703XGRIHGpPOwsTPvQj+UBkukM=; b=Ig39XoEFq0DcGOXMOGADYo/P+a54Njio+u7z/zQeF8husMTIt7/wC0Q7iPS9CHF0DR 7LA+axeK0YmUEG+Is/0eHi+X0ld/GNhycLGxnXfIHPSswu7iztBVrUd/a1K8yZUzosUI SkBMmXcNRZYgxbKA8i8FHa3DlEX1YmAuAhfQC7QxPw+RqsswY4dLjcaCMcmx+ZUcW4pR LleQVJpByzjdxQVpq369a35Add3pM4bLj4be7pnBMy0mcKRxVDeBpvw+aPUnzBXuuJtu R4PrZG2zzB+mC5B+PvSmIBlSUQd/EnW+fNsRtl0ewJP5ZkZGOpNPfrpB2axzDOxi1Alt kzvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706636918; x=1707241718; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZBevhYX/zCAPOhMdT703XGRIHGpPOwsTPvQj+UBkukM=; b=ap40S7zdQwKk+PvxR66PxmOU5NvfzF5Sv5sLvNCw47UVEzn31SI6gOXzmvhHsIlSM2 B8C5D3tHpyFbrCZ8kdHO4kkt40IWtxO+Rgo8ePTEA3KGY/xL4s+AwA1WWyxFVpl+VTFW xHVDWEVNGb2ubtnZy/HEPsmDhdhfazFFDu/aV3n10ZbZt8Dy91JIkRB/5x2RlYeyOpvu pnzfRKs2PRi/6q30Y27yHRNWBNHOb+sXNP+09Wk2Dx0Xdirc2JTL2Gdgw6hdp/0ToH1T ltiHO0oOimS+h1TagYy5pjV9miAL/IfU98+Fu0t8LW8PRTWoEO87J4xOwH3EXI9koYfA /2ig==
X-Gm-Message-State: AOJu0YxKba5UdjMhjTBn6hbdEmpKyZXQkKTtUFXVeIUGf+GUm0Fva89E LadrroubmhEpuoFWbTiWySLmjzx4NTc5Seq+Xi+kJEVW2S/hWb3odfzcWP4GE1horQT3MzgyqRe fTC1hOy0mm6f+JJ8tpIfxccLjAXO6GwoP5Rmabw3IfDQ4TJ3Tsy8=
X-Google-Smtp-Source: AGHT+IHZY/4K7Q/O+EmC+9unOGUzTZ//VZAYbwk+814gpZX4/v9bDhBQksfpoTZVh2oCPqpajyZNlfbwUREqFAs2o58=
X-Received: by 2002:a05:6e02:1d8a:b0:363:7d74:a780 with SMTP id h10-20020a056e021d8a00b003637d74a780mr8964935ila.23.1706636918466; Tue, 30 Jan 2024 09:48:38 -0800 (PST)
MIME-Version: 1.0
References: <CAJTd26+hJjKaZZenN3bQuVaifJotVhbpQoYEBLBaN7KiOw2_Qg@mail.gmail.com> <CABcZeBNT=EBMrmOJ1pBpaThs6BcVuajXYt+ziXzEMZU0LKjfjg@mail.gmail.com>
In-Reply-To: <CABcZeBNT=EBMrmOJ1pBpaThs6BcVuajXYt+ziXzEMZU0LKjfjg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 30 Jan 2024 07:48:33 -1000
Message-ID: <CAL02cgQkOxg6f1U-GwAWTOBDv96yvV1bEFZ=F7ES+Qhs7vDJLA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Brendan McMillion <brendanmcmillion@gmail.com>, MLS List <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000049418c06102d5fbe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/rWWIvjLDSbrxHGutUNeqYVnbCdI>
Subject: Re: [MLS] Recommendation for encrypted group operations
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 17:48:44 -0000

My take here is broadly in line with EKR here.  I have a couple of problems
with Brendan's analysis here:

First: #3 on Brendan's list says "want to" like it's a personal desire, but
it's actually an important objective engineering consideration: Operating
MLS is dramatically more efficient in large groups if a server caches the
tree, to the point where groups of any size are basically unworkable
without this optimization.  (Without this optimization, commits impose
linear cost in units of data sent by the committer to new joiners, and with
large constants because of credentials.)

Second: #2 "don't care about leaking" similarly discounts a legitimate
engineering trade-off.  It's not that the apps exposing membership to the
server are just being lackadaisical; there are legitimate reasons to have a
server act as a policy enforcement point as a secondary check on clients
(e.g., in cases where clients might be adversarial to the interests of the
policy controller).

Calling a set of apps that collectively cover billions of users "quite a
specific subset" is certainly a take, but not one I can agree with.

If I were writing this myself, the outline would be:
* In principle, encrypting MLS handshake messages provides the highest
level of confidentiality
* In practice, this imposes heavy performance costs
* Here are some guidelines that apps can use to decide where they want to
land on this trade-off

EKR's PR is quite close to this, so I would propose we workshop that text a
little and then adopt it.

--Richard


On Tue, Jan 30, 2024 at 7:11 AM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Tue, Jan 30, 2024 at 8:57 AM Brendan McMillion <
> brendanmcmillion@gmail.com> wrote:
>
>> Hi mls@
>>
>> One of the first topics of discussion at our last interim was on whether
>> or not to keep the recommendation in the architecture draft to use
>> encrypted group operations whenever possible. This is issue #210 on the
>> repo [1].
>>
>> The desire to remove this recommendation comes from the fact that many
>> mls deployments and the mimi wg do not follow it. It doesn't seem that the
>> minutes have been uploaded yet, but my memory of the conversation at the
>> interim is that:
>> - We generally agree that encrypted group operations would, in an ideal
>> world, be preferred. I recall several people saying it's the "moral thing
>> to do."
>> - Acknowledging that most deployed applications don't encrypt group
>> operations. We listed the deployments we knew of to prove this.
>>
>> The after-the-fact answer I came up with for why most applications don't
>> encrypt group operations is that they can 1.) guarantee strong
>> transport-layer security, 2.) don't care about leaking group membership to
>> a central server, and 3.) want to use that central server to provide
>> certain features. Despite being well-represented in the mls wg,
>> applications that meet criteria 1, 2 and 3 is actually quite a specific
>> subset within the space of what MLS was designed to support. Any
>> decentralized application would not meet these criteria (no transport-layer
>> encryption). Signal doesn't either (doesn't leak membership).
>>
>> Given this, my proposal is to keep the recommendation but state that
>> applications may use unencrypted operations if they have an explicit
>> reason. I've opened a PR to that effect here:
>> https://github.com/mlswg/mls-architecture/pull/247
>>
>> This is in contrast with a PR from Eric that removes the recommendation
>> and describes the tradeoffs between encrypted and unencrypted group
>> operations on relatively equal footing:
>> https://github.com/mlswg/mls-architecture/pull/246
>>
>> Please say on the list if you have a preference between the PRs. Thank
>> you!
>>
>
> Just to clarify the process here: this is the start of a discussion, not a
> consensus call, though I suppose the chairs might do a consensus call later
> if that's necessary.
>
> With that said, while I agree that it would be better if people encrypted
> the group messages, the objective of IETF documents is not to talk about
> the ideal world but to actually document protocol specifications for people
> to implement.
>
> Here in the IETF, we are specifying precisely one such protocol that uses
> MLS, which is to say MIMI, and as Brendan notes, that protocol uses
> unencrypted group operations. Text like what appears in PR #246 that
> suggests that people ought not to do what we in IETF are in fact doing
> serves mostly to confuse people and make us look uncoordinated [0].
>
> -Ekr
>
> [0] See also RFC 6919 "MUST (BUT WE KNOW YOU WON'T)" and  "OUGHT TO".
>
>
>
>
>
>
>
>
>> 1. https://github.com/mlswg/mls-architecture/issues/210
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/mls
>>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email