Re: [MLS] Mandating the expiration of KeyPackages (redux)

Benjamin Beurdouche <benjamin.beurdouche@inria.fr> Sat, 07 March 2020 09:50 UTC

Return-Path: <benjamin.beurdouche@inria.fr>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F00E3A0EE4 for <mls@ietfa.amsl.com>; Sat, 7 Mar 2020 01:50:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.014
X-Spam-Level:
X-Spam-Status: No, score=0.014 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XbiAbe_iNgV7 for <mls@ietfa.amsl.com>; Sat, 7 Mar 2020 01:50:21 -0800 (PST)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEA733A0EE2 for <mls@ietf.org>; Sat, 7 Mar 2020 01:50:20 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.70,525,1574118000"; d="scan'208,217";a="341586730"
Received: from 91-165-78-144.subs.proxad.net (HELO [192.168.0.1]) ([91.165.78.144]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Mar 2020 10:50:18 +0100
From: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
Message-Id: <12FD4B1E-5673-407A-8AA8-B9D760DA94C5@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_95B60B80-971E-4076-B73C-6EB0DF16AACC"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Date: Sat, 7 Mar 2020 10:50:18 +0100
In-Reply-To: <CABP-pSRkDeRc5_1nPViXqpa1XkqfA92t72fOWmmOZ9sDPoX3kQ@mail.gmail.com>
Cc: ML Messaging Layer Security <mls@ietf.org>
To: Brendan McMillion <brendan=40cloudflare.com@dmarc.ietf.org>
References: <CABP-pSRkDeRc5_1nPViXqpa1XkqfA92t72fOWmmOZ9sDPoX3kQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/vvXkDbnqoqHLOfuB_OOe34U_ctI>
Subject: Re: [MLS] Mandating the expiration of KeyPackages (redux)
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2020 09:50:23 -0000
X-List-Received-Date: Sat, 07 Mar 2020 09:50:23 -0000


> On 6 Mar 2020, at 21:26, Brendan McMillion <brendan=40cloudflare.com@dmarc.ietf.org> wrote:
> 
> Hello mls@
> 
> In PR #275 <https://github.com/mlswg/mls-protocol/pull/275/files>, we started mandating the expiration of KeyPackages. However, the PR also allows applications to set the expiration of the KeyPackage to the maximum value for Last Resort keys -- meaning they never expire.

Well, the previous situation was that there was literally no expiration field.

> I think this is conflating the problem that Last Resort keys solve with something else. Last Resort keys are a solution to DoS attacks, where somebody sends a user a lot of messages in a short period of time, to exhaust their cache of one-time-only keys and prevent anyone else from sending messages to the user. Last Resort keys are not a solution to the problem of the user being offline for an indefinite period of time. Trying to use Last Resort keys in this way can pose a problem for PCS, because if a user is compromised then any of these KPs can be used to “add” the user to the group, when they’re actually adding an adversary.

No... even if you were in my brain when I wrote it, I can assure you, it was not… : )
The goal was to achieve the first step of moving from no expiration to some expiration,
which was striking a balance when some of the editors were at a disagreement.

> It’s tempting to say that the PCS issue is solved by rotating the user’s identity key, as this invalidates all the previous KeyPackages that were never going to expire. However, this implies that the user’s identity key needs to be rotated as often as new KeyPackages would ideally be generated, which could create a substantial burden on the Authentication Service. Practically, I think it’s unlikely that identity keys will really be rotated this often, or that reliable revocation will be implemented by many operators. And finally, the rotation requirement is incompatible with the multitude of signature schemes that don’t require a new credential to be issued to achieve PCS.
> 
> The improvement I proposed in the PR was to remove this guidance, along with modifying the Expiration extension to be a (notBefore, notAfter) pair. Having start and end dates allows everyone to see the total lifetime of a KeyPackage, and enforce that the total lifetime is below some application-defined limit.


I think the design goals should be:
1. Allow and encourage agressive InitKey rotation
2. Don’t have a difference between InitKeys in terms of structure (last resort or not)
3. Don’t break existing products

Both 1. 2. and 3. are already possible in the current design, so the difference
I see are the editorial and the “notBefore” field which I see as a new feature, and I like it.
The PR doesn’t conflict with expiration of InitKeys on signature key rotation either,
so I think it is pretty good.

I agree with it and support this PR.
B.