IETF Logo Mail Archive

Re: [MLS] Use Cases for avoiding Forward Secrecy

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 28 February 2018 22:52 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF411126FDC for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 14:52:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P_eEDlDAkiWI for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 14:52:41 -0800 (PST)
Received: from mail-ot0-x236.google.com (mail-ot0-x236.google.com [IPv6:2607:f8b0:4003:c0f::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3701126FB3 for <mls@ietf.org>; Wed, 28 Feb 2018 14:52:40 -0800 (PST)
Received: by mail-ot0-x236.google.com with SMTP id 108so3825915otv.3 for <mls@ietf.org>; Wed, 28 Feb 2018 14:52:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=cMBUxUGVUz7x/RsfTfSMbXmmdcLHHPRChQsWK3gR+AI=; b=dWmvZX6F+1f6O/LgvSi1L0llDwjwtwWaSvy1UwCWWdMwiEyWu7i0CJwMGPqKRtcjWB q9anoz6AwTAAauHdEra1ne9iuBpChRWCzln7rcj+HC4oPrTTYea4vXBmh1Y54M6a/uWj ExOf9RyhG+NrVNfhmMedaVICyu3dRG6iDGSO0eejFQ3R9TWbMsbfYS7vNcJz58rLtjv1 keJBsFnR6/ih/vCcVprXEdgjeueZIxWhVLD5jchGiAJgoShzgCQMk+XXauFUvWIXwxXp hzOclgTL+0nSZvzMnD9OblB1ICI+YJZfBqrsLOvBC5u3RWE712ZyjYK+T1464pOYrwnh YQfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=cMBUxUGVUz7x/RsfTfSMbXmmdcLHHPRChQsWK3gR+AI=; b=r1gjcElFqq091nqlrgZsZnT7LN+JaiNglixBSzyw9bFqN65l2avDtG2kalSMPhyerj DUBxgFuDQ+iDTdv/I+nSp4778RwTIXy+QqH5jwcpVoYTwaxm8DpVreplX4uIt0mZG4Se sAwnQL3bLSVg15T6yX+q29cA4T8NFZeesU0q3GAAODqtc97XNabxTOl5w8Sun13QJX4M VOQ1aqr6ijHIIUb7HOrdkHP7ohRMFt7zspH+H5DADOMHtk/TY/Z+Bq6E0nGBHm3veLRP q8IzHWv7d16q+AxIHiEmnnkCx9qgpkr0Bz9qVTs8oLxTxNwIKDHXzRxc9wt8+rhgeyOg O+zw==
X-Gm-Message-State: APf1xPDYTeazStUDEFPEgJXXm9MKS8fn/ZUvqbLEVeU6FC7SmwhBbcrs vrqCVNlsj6qlJDBLlNe7x8StFCbY16qd3tHhzVc=
X-Google-Smtp-Source: AH8x225oe1yWRj0GkTsaunHyrX+pTl8VxzXzHIHS9b5sXUSw3aV9gKEYY1t6Zqv6sfV3KZbvSZIXaTj2xdNm+H8PRfU=
X-Received: by 10.157.48.216 with SMTP id r24mr14616832otg.338.1519858360317; Wed, 28 Feb 2018 14:52:40 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.5.5 with HTTP; Wed, 28 Feb 2018 14:52:39 -0800 (PST)
In-Reply-To: <20180228222800.0a978ded@T-200>
References: <CAKHUCzxOwmPrpUUj6HSRMcxiXtRmT05OapeBQdRA49bSWum6yQ@mail.gmail.com> <f10d4e2c-7b4c-b841-eadf-056e1729c713@cs.tcd.ie> <CAMm+LwjJxdTJcPBCNh3JsjDeWODFuS3FwUPz_ztvzKpkU7X8DA@mail.gmail.com> <20180228222800.0a978ded@T-200>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 28 Feb 2018 17:52:39 -0500
X-Google-Sender-Auth: CVQqzwODossj-lMCstKGFprL1lU
Message-ID: <CAMm+LwiEq5XN2Fyczt0GweoJqf5U6K_CRcNifKKApLOsu2Qc6A@mail.gmail.com>
To: Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="f4030437961cacfb4305664d99f4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/sCJtGIdxninDfFG_F1DP5kGT_Gg>
Subject: Re: [MLS] Use Cases for avoiding Forward Secrecy
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2018 22:52:43 -0000

If this group is not interested in open discussion, it might be in the
wrong standards organization.

Trying to shut down discussion of other requirements is a REALLY BAD
predictor of success in IETF.

Go talk to the DANE folk and see how that worked for them.

On Wed, Feb 28, 2018 at 5:28 PM, Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
wrote:

> > If however we are working at the message layer, we will often want to
> > support an asynchronous mode in which one party sends some data and
> > another picks it up later. That does not prevent us working end to
> > end but it does prevent us using PFS.
>
> This is incorrect. You may want to review the design of Signal, or
> indeed the current MLS draft.
>
> > MLS is not chartered yet. We are discussing what the scope should be.
> > It is really inappropriate to assert that has been decided before we
> > have met to even discuss what the scope should be.​
>
> The current proposal is designed to provide strong end to end
> security for group messaging, with perfect forward secrecy and post
> compromise security.
>
> If you don't agree with those design goals, I think you might be in the
> wrong mailing list, as rather than being a bird of a feather, you appear
> to be a bird of an all together different species.
>
> On Wed, 28 Feb 2018 16:58:50 -0500
> Phillip Hallam-Baker <phill@hallambaker.com> wrote:
>
> > On Wed, Feb 28, 2018 at 4:16 PM, Stephen Farrell
> > <stephen.farrell@cs.tcd.ie> wrote:
> >
> > >
> > > Hiya,
> > >
> > > On 28/02/18 17:14, Dave Cridland wrote:
> > > > Given the latter, for example, I could not use an MLS-based
> > > > system to discuss a tax problem with the authority, and since I'm
> > > > unlikely to have a SAKKE-based messaging client, I'm unlikely to
> > > > have encrypted messaging to my tax authority at all - which seems
> > > > signficantly worse than merely having no Forward Secrecy.
> > >
> > > Sorry, why is transport layer security not sufficient between you
> > > and your tax authority?
> > >
> > > I'm unclear as to why the security guarantees (aimed for) between
> > > groups of people ought be reduced in order to meet the goals of
> > > securing communications between a person and a service provider.
> > >
> > > I do agree that it'd be good if a user of some application could
> > > add a new device and still see old messages, but I'm not at all
> > > clear that's that significant (for the crypto) since people will
> > > always need to have some kind of fallback to handle cases where
> > > they've lost state.
> >
> >
> > ​I posted a use case in which I do not want forward secrecy earlier.
> >
> > Alice works in a team with Bob and Carol. At some point Doug joins the
> > team. At that point, Doug needs access to all documents and
> > discussions related to the project, including:
> >
> > * All Word, Powerpoint, etc. documents.
> > * All Web sites and discussion forums.
> > * All group chats, video conferences, etc.​
> >
> > ​I have a system that can support this use case with end to end
> > encryption. Mallet can run all the online services. The only time an
> > administration key is required is when people are added to or removed
> > from the group.
> >
> > Using the term 'reduced' in relation to security properties is
> > pejorative and unhelpful. If we are having a discussion related to a
> > project there will be times when:
> >
> > 1) We want the discussion to be off the record with no permanent
> > record. 2) We want the discussion to be on the record with a
> > permanent record.
> >
> > ​These are disjoint use cases and they are both valid. ​They are even
> > valid for different discussions relating to a single project.
> >
> > If we are working at the Transport layer, our conversation is always
> > synchronous and PFS does not constrain us. If however we are working
> > at the message layer, we will often want to support an asynchronous
> > mode in which one party sends some data and another picks it up
> > later. That does not prevent us working end to end but it does
> > prevent us using PFS.
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email