Re: [MLS] Use Cases for avoiding Forward Secrecy
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 28 February 2018 22:52 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF411126FDC for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 14:52:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P_eEDlDAkiWI for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 14:52:41 -0800 (PST)
Received: from mail-ot0-x236.google.com (mail-ot0-x236.google.com [IPv6:2607:f8b0:4003:c0f::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3701126FB3 for <mls@ietf.org>; Wed, 28 Feb 2018 14:52:40 -0800 (PST)
Received: by mail-ot0-x236.google.com with SMTP id 108so3825915otv.3 for <mls@ietf.org>; Wed, 28 Feb 2018 14:52:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=cMBUxUGVUz7x/RsfTfSMbXmmdcLHHPRChQsWK3gR+AI=; b=dWmvZX6F+1f6O/LgvSi1L0llDwjwtwWaSvy1UwCWWdMwiEyWu7i0CJwMGPqKRtcjWB q9anoz6AwTAAauHdEra1ne9iuBpChRWCzln7rcj+HC4oPrTTYea4vXBmh1Y54M6a/uWj ExOf9RyhG+NrVNfhmMedaVICyu3dRG6iDGSO0eejFQ3R9TWbMsbfYS7vNcJz58rLtjv1 keJBsFnR6/ih/vCcVprXEdgjeueZIxWhVLD5jchGiAJgoShzgCQMk+XXauFUvWIXwxXp hzOclgTL+0nSZvzMnD9OblB1ICI+YJZfBqrsLOvBC5u3RWE712ZyjYK+T1464pOYrwnh YQfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=cMBUxUGVUz7x/RsfTfSMbXmmdcLHHPRChQsWK3gR+AI=; b=r1gjcElFqq091nqlrgZsZnT7LN+JaiNglixBSzyw9bFqN65l2avDtG2kalSMPhyerj DUBxgFuDQ+iDTdv/I+nSp4778RwTIXy+QqH5jwcpVoYTwaxm8DpVreplX4uIt0mZG4Se sAwnQL3bLSVg15T6yX+q29cA4T8NFZeesU0q3GAAODqtc97XNabxTOl5w8Sun13QJX4M VOQ1aqr6ijHIIUb7HOrdkHP7ohRMFt7zspH+H5DADOMHtk/TY/Z+Bq6E0nGBHm3veLRP q8IzHWv7d16q+AxIHiEmnnkCx9qgpkr0Bz9qVTs8oLxTxNwIKDHXzRxc9wt8+rhgeyOg O+zw==
X-Gm-Message-State: APf1xPDYTeazStUDEFPEgJXXm9MKS8fn/ZUvqbLEVeU6FC7SmwhBbcrs vrqCVNlsj6qlJDBLlNe7x8StFCbY16qd3tHhzVc=
X-Google-Smtp-Source: AH8x225oe1yWRj0GkTsaunHyrX+pTl8VxzXzHIHS9b5sXUSw3aV9gKEYY1t6Zqv6sfV3KZbvSZIXaTj2xdNm+H8PRfU=
X-Received: by 10.157.48.216 with SMTP id r24mr14616832otg.338.1519858360317; Wed, 28 Feb 2018 14:52:40 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.5.5 with HTTP; Wed, 28 Feb 2018 14:52:39 -0800 (PST)
In-Reply-To: <20180228222800.0a978ded@T-200>
References: <CAKHUCzxOwmPrpUUj6HSRMcxiXtRmT05OapeBQdRA49bSWum6yQ@mail.gmail.com> <f10d4e2c-7b4c-b841-eadf-056e1729c713@cs.tcd.ie> <CAMm+LwjJxdTJcPBCNh3JsjDeWODFuS3FwUPz_ztvzKpkU7X8DA@mail.gmail.com> <20180228222800.0a978ded@T-200>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 28 Feb 2018 17:52:39 -0500
X-Google-Sender-Auth: CVQqzwODossj-lMCstKGFprL1lU
Message-ID: <CAMm+LwiEq5XN2Fyczt0GweoJqf5U6K_CRcNifKKApLOsu2Qc6A@mail.gmail.com>
To: Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="f4030437961cacfb4305664d99f4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/sCJtGIdxninDfFG_F1DP5kGT_Gg>
Subject: Re: [MLS] Use Cases for avoiding Forward Secrecy
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2018 22:52:43 -0000
If this group is not interested in open discussion, it might be in the wrong standards organization. Trying to shut down discussion of other requirements is a REALLY BAD predictor of success in IETF. Go talk to the DANE folk and see how that worked for them. On Wed, Feb 28, 2018 at 5:28 PM, Dennis Jackson <dennis.jackson@cs.ox.ac.uk> wrote: > > If however we are working at the message layer, we will often want to > > support an asynchronous mode in which one party sends some data and > > another picks it up later. That does not prevent us working end to > > end but it does prevent us using PFS. > > This is incorrect. You may want to review the design of Signal, or > indeed the current MLS draft. > > > MLS is not chartered yet. We are discussing what the scope should be. > > It is really inappropriate to assert that has been decided before we > > have met to even discuss what the scope should be. > > The current proposal is designed to provide strong end to end > security for group messaging, with perfect forward secrecy and post > compromise security. > > If you don't agree with those design goals, I think you might be in the > wrong mailing list, as rather than being a bird of a feather, you appear > to be a bird of an all together different species. > > On Wed, 28 Feb 2018 16:58:50 -0500 > Phillip Hallam-Baker <phill@hallambaker.com> wrote: > > > On Wed, Feb 28, 2018 at 4:16 PM, Stephen Farrell > > <stephen.farrell@cs.tcd.ie> wrote: > > > > > > > > Hiya, > > > > > > On 28/02/18 17:14, Dave Cridland wrote: > > > > Given the latter, for example, I could not use an MLS-based > > > > system to discuss a tax problem with the authority, and since I'm > > > > unlikely to have a SAKKE-based messaging client, I'm unlikely to > > > > have encrypted messaging to my tax authority at all - which seems > > > > signficantly worse than merely having no Forward Secrecy. > > > > > > Sorry, why is transport layer security not sufficient between you > > > and your tax authority? > > > > > > I'm unclear as to why the security guarantees (aimed for) between > > > groups of people ought be reduced in order to meet the goals of > > > securing communications between a person and a service provider. > > > > > > I do agree that it'd be good if a user of some application could > > > add a new device and still see old messages, but I'm not at all > > > clear that's that significant (for the crypto) since people will > > > always need to have some kind of fallback to handle cases where > > > they've lost state. > > > > > > I posted a use case in which I do not want forward secrecy earlier. > > > > Alice works in a team with Bob and Carol. At some point Doug joins the > > team. At that point, Doug needs access to all documents and > > discussions related to the project, including: > > > > * All Word, Powerpoint, etc. documents. > > * All Web sites and discussion forums. > > * All group chats, video conferences, etc. > > > > I have a system that can support this use case with end to end > > encryption. Mallet can run all the online services. The only time an > > administration key is required is when people are added to or removed > > from the group. > > > > Using the term 'reduced' in relation to security properties is > > pejorative and unhelpful. If we are having a discussion related to a > > project there will be times when: > > > > 1) We want the discussion to be off the record with no permanent > > record. 2) We want the discussion to be on the record with a > > permanent record. > > > > These are disjoint use cases and they are both valid. They are even > > valid for different discussions relating to a single project. > > > > If we are working at the Transport layer, our conversation is always > > synchronous and PFS does not constrain us. If however we are working > > at the message layer, we will often want to support an asynchronous > > mode in which one party sends some data and another picks it up > > later. That does not prevent us working end to end but it does > > prevent us using PFS. > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Raphael Robert
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Stephen Farrell
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dennis Jackson
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Eric Rescorla
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dennis Jackson
- Re: [MLS] Use Cases for avoiding Forward Secrecy Jon Millican
- Re: [MLS] Use Cases for avoiding Forward Secrecy Stephen Farrell
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Richard Barnes
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Russ Housley
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker
- Re: [MLS] Use Cases for avoiding Forward Secrecy Jon Millican
- Re: [MLS] Use Cases for avoiding Forward Secrecy Sean Turner
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Katriel Cohn-Gordon
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Eric Rescorla
- Re: [MLS] Use Cases for avoiding Forward Secrecy Nadim Kobeissi
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Stephen Farrell
- Re: [MLS] Use Cases for avoiding Forward Secrecy Dave Cridland
- Re: [MLS] Use Cases for avoiding Forward Secrecy Nadim Kobeissi
- Re: [MLS] Use Cases for avoiding Forward Secrecy Phillip Hallam-Baker