Re: [MLS] Roman Danyliw's No Objection on draft-ietf-mls-protocol-17: (with COMMENT)
Richard Barnes <rlb@ipv.sx> Tue, 31 January 2023 15:17 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76982C14CE5F for <mls@ietfa.amsl.com>; Tue, 31 Jan 2023 07:17:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8RGXPRePRBnZ for <mls@ietfa.amsl.com>; Tue, 31 Jan 2023 07:17:21 -0800 (PST)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF3A9C14F737 for <mls@ietf.org>; Tue, 31 Jan 2023 07:17:21 -0800 (PST)
Received: by mail-wr1-x42c.google.com with SMTP id a3so7839407wrt.6 for <mls@ietf.org>; Tue, 31 Jan 2023 07:17:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=R/6cqgm5cnJ8HvqRSuZcN4e/ib7y7EJxcn9eGyC5pXA=; b=WbjyDUllJjeejbMYJIXMM1wzVI3/u1lCyS2hTQrqtBilC34d0jxnjczvKExeR7iWen DMDwfB4cs7vd6RjbDWcJ227UOO+FOr22cO3mQgrfQ/6d2xiG3EQiptkIqEoMVkL3iQ4t PF/GFb4AdJEHtAS5N1jDXdNJngkCBP65MfHPPc5M2nQ2fV15qDtrxplW1x8AszH310au dHFVYSDsBKvbmoUyZm/4I5sjdKTpvGbylq3ObdAu9yZ/iVfmSjOsiJDCkpXKey375NMx rCdDcKJo1qGTRcTF7UE4iGwWgWTJ8JkBT9JSe8TPnkeF9ANBcoRsa3M+xLZnXCGFXfag 2Tag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=R/6cqgm5cnJ8HvqRSuZcN4e/ib7y7EJxcn9eGyC5pXA=; b=nrV8qkebt/qStUCF3+VG4RkZ9R/U2R8NZHrbu44sHTsRLOnbFpV1VqreP2QvOwES8Q or1jfFN4oP3i/vMaVTtRi2IahOSTwuTCp4MK4+2uUE/Mr1fE3Kx/RNhoaxDYX4/VF7hf spuSrid9Ho+QdpDu+O3ooDd9ua2QO7uYum/iAfZ8W+GxQ2aqVn+9yNs6If+eDcu4Xr/M 5zqI+RNG4eNqBAvr2FxmyFGz7FSxi9f4poW5+sdwwbwc2WSdKCOs6qmEkPeHDTcelOcP oI9C8haX7K0+octfp6LKPQabMFjytfPyKaSacBTyFyvyHDyXt4SG9r2yR9S+WsBiWuo/ XtOQ==
X-Gm-Message-State: AO0yUKWVJJKvwHXtXUX5Hdr4nsLm/B8e0LIVpntNbts64Lm92vEK8Yq/ ZDOtZK76E0bXIjsSDE++zu5avavuLIJKO875GPkCRA==
X-Google-Smtp-Source: AK7set/eTkLorilm9XNN8lpgN2X+bmp0PUBw9lxvtxcNs2xjBzSgJgJU6hEgjknOqLukenJ90jkjwI3vKshLKfoyQ18=
X-Received: by 2002:a5d:4b12:0:b0:2bf:b54d:90f3 with SMTP id v18-20020a5d4b12000000b002bfb54d90f3mr961102wrq.351.1675178240289; Tue, 31 Jan 2023 07:17:20 -0800 (PST)
MIME-Version: 1.0
References: <167517543123.30783.12152568101815467862@ietfa.amsl.com>
In-Reply-To: <167517543123.30783.12152568101815467862@ietfa.amsl.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 31 Jan 2023 10:17:09 -0500
Message-ID: <CAL02cgQ5tFogfz_MUCQ6XzY6vB=5pgLgOLWMu9h8p1zjJKpM4g@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-mls-protocol@ietf.org, mls-chairs@ietf.org, mls@ietf.org, benjamin.beurdouche@ens.fr, karthikeyan.bhargavan@inria.fr, cas.cremers@cs.ox.ac.uk, alan@wire.com, singuva@twitter.com, kwonal@mit.edu, ekr@rtfm.com, thyla.van.der@merwe.tech, sean@sn3rd.com
Content-Type: multipart/alternative; boundary="000000000000f2c67c05f390d337"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/v7ZJsHYDHt_oVuvPHb4qmQ8zx7g>
X-Mailman-Approved-At: Tue, 31 Jan 2023 19:08:43 -0800
Subject: Re: [MLS] Roman Danyliw's No Objection on draft-ietf-mls-protocol-17: (with COMMENT)
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 15:17:26 -0000
Hi Roman, Thanks for the review. A few responses inline. I have filed a PR for these changes: https://github.com/mlswg/mls-protocol/pull/850 On Tue, Jan 31, 2023 at 9:30 AM Roman Danyliw via Datatracker < noreply@ietf.org> wrote: > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > ** Section 2. > Handshake Message: A PublicMessage or PrivateMessage carrying an MLS > Proposal or Commit object, as opposed to application data. > > This definition of a handshake message is being defined in terms of a > Proposal > or Commit object, neither of which are defined in this session. > Furthermore, > PublicMessage or PrivateMessage aren’t defined either as this point in the > text. To improve clarity, consider defining these key terms. > I added definitions for "Proposal", "Commit", "PublicMessage", and "PrivateMessage". This turned out to help with the next comment... > ** Section 2. Editorial. > The PublicMessage and PrivateMessage formats are defined in > Section 6; they represent integrity-protected and confidentiality- > protected messages, respectively. > > The use of “respectively” in the text is suggesting that PrivateMessages > don’t > have integrity protection which is not accurate. > ... because I could put more detailed descriptions in the definitions and just remove this text. > ** Section 3.1. Typo. s/the the/the/ > Done. > ** Section 5.1.1. > (see the Cryptographic Dependencies section of > the HPKE specification for more information). > > Is this Section 4 of RFC9180? If so, why not say that? > Done. > ** Section 5.3.3. > > However, applications SHOULD NOT rely on the data in an > application_id extension as if it were authenticated by the > Authentication Service, > > What would be the circumstance where the application_id extension would be > treated with equal standing as something from the AS? Why can’t this be a > “MUST”? > I think this probably makes sense as a MUST, so I've put it in the PR. But other folks in the WG might have different opinions. > ** Section 12.2. > > A group member creating a commit and a group member processing a > commit MUST verify that the list of committed proposals is valid > using one of the following procedures, depending on whether the > commit is external or not. > > Unsaid is what to do if the proposal list is not valid. Please clarify. > Clarified that an invalid proposal list means the Commit is invalid. > ** Section 12.2 > > * It contains multiple Update and/or Remove proposals that apply to > the same leaf. If the committer has received multiple such > proposals they SHOULD prefer any Remove received, or the most > recent Update if there are no Removes. > > Is this normative behavior required, or could it be left up to > application? > The mixing of updates/removes on the same node and the SHOULD guidance > already > means that this “recovery from an invalid node” may not be consistent > across > clients/DS-es. > > Same observation on recovering from ReInit with any other proposals. > Sorry, I'm unclear on what you mean by "recovering from" here. The underlying principles here are: * The Commit sender may not have received all the Proposals that were sent in an epoch * Aside from the constraints here, the Commit sender may freely choose which Proposals to commit For example, in this case, a Remove might be rejected because application policy says that its sender isn't authorized to remove the subject Net of all that, I think the answer to your question is that the normative behavior is not required, and that the possible inconsistency is deliberately allowed to create space for application-level policies. > ** Section 12.4. > > Due to the asynchronous nature of proposals, receivers of a Commit > SHOULD NOT enforce that all valid proposals sent within the current > epoch are referenced by the next Commit. In the event that a valid > proposal is omitted from the next Commit, and that proposal is still > valid in the current epoch, the sender of the proposal MAY resend it > after updating it to reflect the current epoch. > > Is there any additional retry mechanism? Let’s say the sender of the > proposal > doesn’t see it reflect in the epoch after it sent proposal. And then not > in > the next epoch. Does it try resending indefinitely? > This is an application-level consideration, since it interacts with potential application-layer constraints on what proposals are allowed. For example, in an "moderated" group where only certain "moderator" members are allowed to add or remove members, a Add/Remove proposal by a non-moderator might never be committed because it is forbidden by application policy. > ** Section 15.1. > If Alice asks > Bob "When are we going to the movie?", then the answer "Wednesday" > could be leaked to an adversary solely by the ciphertext length. > > This setup seems a little simplistic. If the application data is > encrypted to > begin with, how does the adversary know the question being posed by Alice? > For example, maybe the attacker can tell from application context that Bob is sending his question to a movie scheduling bot. But I don't think this document is the place for a complete primer on the risks of traffic analysis. We already have citations to studies that cover these risks in more detail. Best, --Richard
- [MLS] Roman Danyliw's No Objection on draft-ietf-… Roman Danyliw via Datatracker
- Re: [MLS] Roman Danyliw's No Objection on draft-i… Richard Barnes