Re: [MLS] Artart early review of draft-ietf-mls-architecture-09
Valery Smyslov <smyslov.ietf@gmail.com> Wed, 28 September 2022 20:42 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA92C15EB35; Wed, 28 Sep 2022 13:42:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3CryQuQUdN9Y; Wed, 28 Sep 2022 13:42:54 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5DF5C15DD71; Wed, 28 Sep 2022 13:42:53 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id l12so15623346ljg.9; Wed, 28 Sep 2022 13:42:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:from:to:cc:subject:date; bh=AIgqv9GVtXv7AHGH0dOgFkPlXrWN3rXXuSQebPdBem0=; b=DDtOfoIthwQc2OchCWHGvCFnlxF/OiKmkEFaCMYxFWt1Pa0g/NwMsy/Ov0umfvLz2F KhO0kwLpGb+6Mp9Shx+YvimQKsO8ovx+ATyThh09dANzenvLINY9SBGrwmMexRiHnvHb igwJL+zauBUTjhn2HxhXDoqSBBaYzQgjXDwc18iMzx2KV7zY0nZe721996JuYizvvq7M jsxMLVXNDyuwZADLzfEFinsWX3KCtgTGL3er0Ei40o5KLXngnBjtXCiAz73GToKoP10Q FrPqcKfclLGQ4PVo2QQwv8gj6g8aXRXL8BpcghuF9uRql/SJQjjpOhIKiNq24phBRkSC JXvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:x-gm-message-state:from:to:cc :subject:date; bh=AIgqv9GVtXv7AHGH0dOgFkPlXrWN3rXXuSQebPdBem0=; b=TYwCswhMtK0sdaz11h0co08DRVO/iRxHJufQUhNy7LNY70Sv/M3fpxIXXwVVHltpI4 +wTkh7/vtsj57TOmOxrcu8jx+iXj0L6kutON1/Ir9g8MYx8eHaSGPIMgsuPzSS9EgBbK DnKYW7JfA6QvzB1TpWWOpHFS8wbMPOKxta3d55phy1UAcNvdUKEnXpO0aAf3qLjsmkIe k1RsmKZkY3NGe+y1MmHzLMIMXOIbuW9WC9ekUsnmhbZsPQMuTk8w7mM+fW6QRYQFHdfe IsytYWtjtwmMFrRCD3sC5wrRFfItPH2JwVOlSRV9HDyUTi6Rxr90WDvJPkeulgtIi3Cm iNTg==
X-Gm-Message-State: ACrzQf1p93tFc5++1R67ZTaCR6nWucj2CKJ4ly2qdnW2J91QxugBNV5N IJ+oHo1jI/E6bpT5FQX4P7YivfRBnlw=
X-Google-Smtp-Source: AMsMyM6pmV63ZkKkvfa4N8hC8FwV5dphYkM9jGafj2to9410Xw3iLR1jJ01yhJ5r1KcsPfmUqsaipg==
X-Received: by 2002:a2e:a785:0:b0:26c:560f:9f6c with SMTP id c5-20020a2ea785000000b0026c560f9f6cmr12713028ljf.317.1664397770692; Wed, 28 Sep 2022 13:42:50 -0700 (PDT)
Received: from chichi (89-179-106-224.broadband.corbina.ru. [89.179.106.224]) by smtp.gmail.com with ESMTPSA id f15-20020ac25ccf000000b0048a921664e8sm570187lfq.37.2022.09.28.13.42.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Sep 2022 13:42:50 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Richard Barnes' <rlb@ipv.sx>
Cc: 'Valery Smyslov' <valery@smyslov.net>, art@ietf.org, draft-ietf-mls-architecture.all@ietf.org, mls@ietf.org
References: <166435475290.31147.15265580440001096239@ietfa.amsl.com> <CAL02cgTfFUe_f3+E-W_AQDJSCNDRGgFJHu-5Q--aRg2QJi08NQ@mail.gmail.com> <008601d8d372$7f934500$7eb9cf00$@gmail.com> <CAL02cgR0GSDa1drz6Zc7fYQBF_DjJzeKxAY0acdHbtit9awFNA@mail.gmail.com>
In-Reply-To: <CAL02cgR0GSDa1drz6Zc7fYQBF_DjJzeKxAY0acdHbtit9awFNA@mail.gmail.com>
Date: Wed, 28 Sep 2022 23:42:45 +0300
Message-ID: <00a001d8d37a$ddae2d00$990a8700$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00A1_01D8D394.02FF3590"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFagE8UaMryvlylOn/w640MwROoqgEe9yZZAs3hjDICfrSuPq6+k5Pw
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/sXtZbIv9OanXvazhBbVsBxLXyY0>
Subject: Re: [MLS] Artart early review of draft-ietf-mls-architecture-09
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2022 20:42:58 -0000
Just to recap your scenario: Suppose we have a group where:
* All members support versions (A, B) and ciphersuites (X, Y) [where A < B and X < Y for some definition of "<"]
* The group uses version A and ciphersuite B
Do you mean "version A and ciphersuite X"? (or ciphersuite Y, since there is no ciphersuite B).
(Since there is some confusion with the ciphersuites (there is no ciphersuite B in your example), let's go with the version number only.)
In that case, MLS would allow any client to join (including external join) that supports version A and ciphersuite B -- what the members support doesn't matter, only that the joiner supports the group's parameters.
It's obvious that any client supporting version A can join the group that was created using version A.
In my scenario the external client supports only version B. So, if it were among the clients that form the group,
then the group would have been created with the different version (since all other members support A and B and the client in question supports only B,
the common denominator is B and they would go with it). But it wasn't. Can this client unilaterally join the group later?
In this case the group version should change as a result of its join (I assume group policy doesn't prohibit B).
Does the protocol support this scenario?
That said, MLS provides verified information about version/ciphersuite support to all members, and the joiner's information is visible in an external join. So for example, an application might implement policies that enforce a minimum version / ciphersuite on new joins by having a server reject KeyPackages or external joins that use the versions/ciphersuites that are too old. Likewise, group members could refuse to add a new member (remove an external joiner) that doesn't meet their requirements.
Regards,
Valery.
--Richard
On Wed, Sep 28, 2022 at 3:42 PM Valery Smyslov <smyslov.ietf@gmail.com> wrote:
Hi Richard,
thank you for the explanations. One clarifying question (with trimming all the rest):
Hi Valery,
Thanks for the review. A couple of comments inline (with some trimming)...
1. Section 5.10 describes the compatibility with future Versions of MLS. In
particular it states:
When multiple versions of MLS
are available, the negotiation protocol guarantees that the version
agreed upon will be the highest version supported in common by the group.
and
In MLS 1.0, the creator of the group is responsible for selecting the
best ciphersuite supported across clients.
I think this is problematic for the clients that join group later. Consider the
situation when a newer version of the protocol is available and some clients
are upgraded, but most are not yet. If the upgraded clients (that support both
versions) form a new group, then they select the highest version of the
protocol. After that no other clients, that are not yet upgraded (which still
form majority), can join this group. The same situation is with ciphersuites
(and it is unclear what is "the best ciphersuite", how to compare them).
I think there must be an option for the group in situation when all the members
support several protocol versions (or several ciphersuites) to change the
version (or ciphersite) on the fly (if this is ever possible and doesn't lead
to the degradation of security) if incoming clients don't support the currently
selected ones. This should also include "external joins", probably the
published information about the group should be constructed in such a way that
clients having different capabilities may read it.
I understand that this would complicate the protocol, but otherwise its
usability would suffer.
I think the mechanics you're looking for are already in the protocol. The Capabilities element of the LeafNode describes the supported versions and ciphersuites for each member of the group, so you can always tell whether the version/ciphersuite in use is the best one possible. At the beginning of the group, this functions as downgrade protection; as the group ages and clients update to support new things, it can highlight opportunities for upgrade. (Upgrade being done with the ReInit mechanism in the protocol.) All members of the group are aware of these signals and protected from any intermediary tampering with them.
The latter point is the important one: The protection against downgrade here is against *intermediaries*, not group members. The notion of "best" is up to the application (just as for say TLS servers), thus so is the selection of ciphersuites among those available and the timing of upgrades.
In other words, the protocol has already done all it can do.
Do I get you right that the following scenarios are already supported by the protocol?
Some set of clients that all support version x and version y (where y > x) form a new group
using version y. Let this group policy allows "external joins". My question - can a new client
that support only version x join this group later using the external join mechanism?
The same question with ciphersuites - if all clients in the group support
ciphersuites X and Y and selected X as "the best" at the time the group is formed, then
can a client that only support ciphersuite Y join this group later using
"external join"? Note, that in both cases there is some kind of downgrade...
If these scenarios are supported by the protocol, then my concerns were extraneous.
However, it would be great if they are outlined in details in the document.
Regards,
Valery.
- [MLS] Artart early review of draft-ietf-mls-archi… Valery Smyslov via Datatracker
- Re: [MLS] Artart early review of draft-ietf-mls-a… Richard Barnes
- Re: [MLS] Artart early review of draft-ietf-mls-a… Valery Smyslov
- Re: [MLS] Artart early review of draft-ietf-mls-a… Richard Barnes
- Re: [MLS] Artart early review of draft-ietf-mls-a… Valery Smyslov