IETF Logo Mail Archive

Re: [MLS] Éric Vyncke's Discuss on draft-ietf-mls-architecture-10: (with DISCUSS and COMMENT)

Benjamin Beurdouche <ietf@beurdouche.com> Tue, 31 January 2023 19:31 UTC

Return-Path: <ietf@beurdouche.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF8ADC14CE5F for <mls@ietfa.amsl.com>; Tue, 31 Jan 2023 11:31:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=beurdouche-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j-iGJLKKsNP9 for <mls@ietfa.amsl.com>; Tue, 31 Jan 2023 11:31:53 -0800 (PST)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FF01C151544 for <mls@ietf.org>; Tue, 31 Jan 2023 11:31:53 -0800 (PST)
Received: by mail-wm1-x329.google.com with SMTP id m5-20020a05600c4f4500b003db03b2559eso11466654wmq.5 for <mls@ietf.org>; Tue, 31 Jan 2023 11:31:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=beurdouche-com.20210112.gappssmtp.com; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=0JEAEkRf4DSYwpRjJtkTmqSTGw5zDfql06B/oEWZ00c=; b=IsIPHz8DjOGX4kUT1gGgB2QmLpkJ4lL9bdyvyAu/KPV3RCfMjWLNkHXgGwQOMxXnOp Itsc/OAUQclBGMUKEa7mE2N47IpKk6xtgY9XzmbYASOYLeno7yDKRTBb5OLKLP3B1cqj bS3PfOdLqAKKK7BGX1KoCaFP7LQXQDb00Ev68h0wlp7inhVTfI4fTmryht3ZGNgAEo67 y8y9qe+SwX9S3Q7zm1T0i+qxoH9ftRf9xB5w86ZYnB7GP/HmihCI4CoDSzQCltKjw+Ko YOntErjcDiEwvoNtKYfPKlw+T04mRbqNsX0Quoao+7FVP/cvfGEvaVC5blfK+wLrWjL4 kU6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0JEAEkRf4DSYwpRjJtkTmqSTGw5zDfql06B/oEWZ00c=; b=2q3bnKli6iFGNiSAIjiClQ0Rht6nGbCqgUbKj4SmqExzfe559p19UcmVNuOQClES02 sjSEW2uK60sb2Lf2Fur1hBMO5v63vMTGeHV54rRYd2mWNPZe9YpO1gekjdV0re/jv7sA M7S7nRomMAv76n5LBKnL00rs0or7h6jHSpB5tr9UfiVo5J+sD9tE9+9Pqalt9/rLpgSK x1vTaC4dSYeZYYMeY3FT8ck4t729fbBHGWxtYhjkP5GyBbzW+6rUWWftnvl9vGyf6eQ/ S1V/7Zg8+KEM6kSjraZNjn7Sm5AXn8lW165aLaFTUJMzQO0X1V/7n/XpazN6JVqcowtm D7Uw==
X-Gm-Message-State: AO0yUKWlVAsoWK9xMmRhdBUqW1psuV5XGBH0a01wREiBKwuWRFbHKAtK aJOqLHVDNBIN8vUhodc++xBSxA==
X-Google-Smtp-Source: AK7set/BDGmSNKpkIIKhjqQCESP3tUSRpSEKiZbc6bbrKFhYE8ezI+iRJeOKvJTAj8WM1ZimL4PBRA==
X-Received: by 2002:a05:600c:5028:b0:3dd:1982:4ce0 with SMTP id n40-20020a05600c502800b003dd19824ce0mr6585203wmr.16.1675193510816; Tue, 31 Jan 2023 11:31:50 -0800 (PST)
Received: from smtpclient.apple ([2a01:e34:ec0d:ee60::5698:6711]) by smtp.gmail.com with ESMTPSA id t19-20020a1c7713000000b003dc48a2f997sm11533716wmi.17.2023.01.31.11.31.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Jan 2023 11:31:50 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.300.101.1.3\))
From: Benjamin Beurdouche <ietf@beurdouche.com>
In-Reply-To: <167516072810.59588.736827594250525013@ietfa.amsl.com>
Date: Tue, 31 Jan 2023 20:31:39 +0100
Cc: The IESG <iesg@ietf.org>, draft-ietf-mls-architecture@ietf.org, MLS Chairs <mls-chairs@ietf.org>, ML IETF Messaging Layer Security <mls@ietf.org>, Katriel Cohn-Gordon <me@katriel.co.uk>, cas.cremers@cs.ox.ac.uk, thyla.van.der@merwe.tech, Jon Millican <jmillican@fb.com>, Raphael Robert <raphael@wire.com>, Sean Turner <sean@sn3rd.com>, tale@dd.org, jinmei@wide.ad.jp
Content-Transfer-Encoding: quoted-printable
Message-Id: <C8540B11-C382-48B7-8454-F95AA7F4364D@beurdouche.com>
References: <167516072810.59588.736827594250525013@ietfa.amsl.com>
To: Éric Vyncke <evyncke@cisco.com>
X-Mailer: Apple Mail (2.3731.300.101.1.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/v54AUHGosuojg3BUoWSn9tTuknQ>
X-Mailman-Approved-At: Tue, 31 Jan 2023 19:08:43 -0800
Subject: Re: [MLS] Éric Vyncke's Discuss on draft-ietf-mls-architecture-10: (with DISCUSS and COMMENT)
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 19:31:57 -0000

Hi Éric,

Thanks a lot for the review, please find some insights below.
I have filled https://github.com/mlswg/mls-architecture/issues/179 to keep track of all the requested changes.

Best,
Benjamin

> On 31 Jan 2023, at 11:25, Éric Vyncke via Datatracker <noreply@ietf.org> wrote:
> 
> Éric Vyncke has entered the following ballot position for
> draft-ietf-mls-architecture-10: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
> for more information about how to handle DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-mls-architecture/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> 
> # Éric Vyncke, INT AD, comments for draft-ietf-mls-architecture-10
> CC @evyncke
> 
> Thank you for the work put into this document.
> 
> I find it very difficult to understand as many concepts are not explained.
> Usually, I start reading the architecture I-D before the protocol one, and this
> document does not help understanding the architecture. We could even argue
> whether the I-D is about architecture or about security considerations.


The MLS architecture document has been written using a non-conventional approach for the IETF in
the sense that it only provides a very basic set of Functional Requirements in the document.
So, the lack of precision in the description of the general architecture is "by design”.

The reason is that the WG has focused on designing a Protocol which works with many different
architectures (centralized, decentralized, with a PKI, with no PKI… ) so that different Service Providers
can use a single protocol for their use cases (secure messaging, video conferencing,
machine-to-machine, IOT, Satellite….)

However, the security and privacy guarantees that should be achieved in all these use cases
and architectures are supposed to be constant. This is why the overall document seems very centered
around a core abstract protocol and the security model instead of explaining one specific architecture.


> Please find below some blocking DISCUSS points (easy to address), some
> non-blocking COMMENT points (but replies would be appreciated even if only for
> my own education), and some nits.
> 
> Thanks to Tatuya Jinmei, the Internet directorate reviewer (at my request),
> please consider this int-dir review with one nit worth considering:
> https://datatracker.ietf.org/doc/review-ietf-mls-architecture-10-intdir-telechat-jinmei-2023-01-29/
> and as noted I share Jinmei's view about the clarity of the I-D.
> 
> Please note that Dave Lawrence is the DNS directorate reviewer (at my request)
> and you may want to consider this dnsdir review as well when Dave will complete
> the review (no need to wait for it though):
> https://datatracker.ietf.org/doc/draft-ietf-mls-architecture/reviewrequest/16998/
> 
> Special thanks to Sean Turner for the shepherd's detailed write-up including
> the WG consensus *and* the justification of the intended status.
> 
> I hope that this review helps to improve the document,
> 
> Regards,
> 
> -éric
> 
> ## DISCUSS
> 
> As noted in https://www.ietf.org/blog/handling-iesg-ballot-positions/, a
> DISCUSS ballot is a request to have a discussion on the following topics:
> 
> ### Section 6
> 
> What is a `LeafNode` ? I.e., please define what it is before using the term ;-)
> Very similar issue in 5.1 for `GroupInfo`. And as noted by Jinmei "Commit" and
> "Proposal".

Ideally, this language should not even be referenced as the notion of Leaf node is
not matching the targeted level of abstraction in the protocol document.
(the notion of Tree is internal to the protocol and not visible by the application)
Credentials should be used instead and I will ensure that it is introduced properly.

Generally, the notions of Group Info, Proposal and Commit are quite general and
seem acceptable to refer to in the architecture document, I will ensure that this
terms are properly introduced by possibly adding a Terminology Section.


> ### Section 7.1
> 
> Is it appropriate for an IETF RFC (even if informal) to qualify WireGuard and
> TOR as `secure channel` ? This DISCUSS point is only to generate discussion
> among the IESG during the telechat. This discuss point will be removed anyway
> after the discussion.

We have been using standard academic terminology for secure channels which is roughly
a communication channel between two peers providing secrecy of the data in transit.

TLS or QUIC are often referred to as secure transports, so I feel it is fine to keep this
terminology, but please let me know if that is a problem, I can certainly rephrase… : )
 

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> 
> ## COMMENTS
> 
> ### Abstract about 'scalable'
> 
> This document and its companion appear to demonstrate the security properties
> of MLS, but do they also cover the scalability ones ? E.g., in section 2, there
> is `or as large as thousands`, good number but not enough for an IETF full
> remote plenary. Later in section 5, it is `groups with tens of thousands of
> members`, i.e., a different order of magnitude.

Scalability overall depends only on a few factors
1. Network latency and allowed bandwidth
2. Computational power of the devices running the client.
3. Frequency of the group operation messages (because it causes key updates)

In terms of complexity, the design is in general linear or sub-linear in the number of users
which is a significant improvement over existing designs. It could even go to 100k or 1M users
depending on the fine tuning of those parameters. 

So it can definitely handle a full remote plenary on most devices ; )

> ### Section 2
> 
> In `The Service Provider presents ....` is it unclear to me what service it is
> about ? The MLS service or the messaging service ?

Service Provider is meant for Facebook / Signal / Wire or any entity providing
an application relying on MLS.

> Is there a reason why sometimes AS/DS acronyms are used and at other places
> their expansions are used ?

This is just a convenience to familiarize the reader with the acronyms from time to time.

> `she can use to send encrypted messages to Bob and Charlie` is the message also
> signed by Alice ? Hinted in section 3 but worth already warning the reader...

The application messages are encrypted, maced and signed, yes.

> `join an existing group;` should "(by asking to be added)" be specified ? As
> per `leave a group`.
> 
> Does the MLS group intend to extend the MLS protocol itself to support group of
> moderators ? This sounds like a basic requirement to me (as a frequent
> videoconf user/moderator).

We designed the MLS protocol so that all protocol clients have the same abilities,
however, the application using the protocol can create these functionalities and for example
say, “well, I will only accept these changes to the group if they have been made by
this specific subset of users”. 

> ### Section 4.2
> 
> Why is "Partition-tolerant" mentionned in to the classes of DS ? It seems that
> it is useless to specify as a discriminator.

I think that the idea is to mention that some infrastructure might run the protocol in a partition
tolerant fashion and that the application can handle that scenario.
This is typically not the case of centralized infrastructure.

> I find this section difficult to read, e.g., what are the "Commit" or
> "Proposal" messages ? It seems that the flow is not natural.

I’ll improve the document to better introduce these terms as requested in the DISCUSS section.

> ### Section 5.4
> 
> Perhaps a mere rendering issue, but RECOMMENDATION appears in bold and is in
> uppercase while it is not a normative 'RECOMMEND'. Strongly suggest to use
> lowercase.

I’ll look into this. Thanks.

> ## NITS
> 
> ### SEction 1
> 
> Isn't `enjoy some level of security` ambiguous or under specified ?

Vastly, yes : ) The spectrum of properties is 

> ### Section 2
> 
> Please use the Oxford comma in `Alice, Bob and Charlie`

Ack

> ## Notes
> 
> This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
> [`ietf-comments` tool][ICT] to automatically convert this review into
> individual GitHub issues.
> 
> [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
> [ICT]: https://github.com/mnot/ietf-comments

Thanks for the review Éric !

Best,
Benjamin

v2.23.0 | Report a Bug | By Email