IETF Logo Mail Archive

Re: [MLS] Use Cases for avoiding Forward Secrecy

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 28 February 2018 18:18 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDC6F1201F2 for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 10:18:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bqgojLv3MTsb for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 10:18:42 -0800 (PST)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7F871200E5 for <mls@ietf.org>; Wed, 28 Feb 2018 10:18:42 -0800 (PST)
Received: by mail-oi0-x22e.google.com with SMTP id c18so2477766oiy.9 for <mls@ietf.org>; Wed, 28 Feb 2018 10:18:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=ZsI3SJCWo1Num5xYe7kF70yyF3eUW3U+fE/aCLwB3j8=; b=T5JIi2ZrOBK8slQZT9GDh60ZZXfRdSv4WUXfNNWRKCb95MeITJ9Ukh3JiasiMfQef8 Tfi7TSNhHqDvMrlMq1ioVh9ec3Ttz1orWvKKuQfxmA7MSU6EPnY+hH8+S+AYFKUmzqmg /FOg1mbLpbwxQXVTwZjGrPP/121Vxao3eS07Z0g1M7RWIlLhMbmF3U6mJI8pT0diHs+N H7ShJiqPr28/HItGVRtPoz7ILDzm1pdAuYdyrDx/K0BUC3G5MS+bl0jJwvZguSrs7qwk AI/gSibWy/ShERzuKDDDbf+MJ2rCWvvGj/3yhQHdu+INgB9y6jObPy9rjjB+5gP0NDhA XYUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=ZsI3SJCWo1Num5xYe7kF70yyF3eUW3U+fE/aCLwB3j8=; b=qtqmSVhad+mMbbX1dtU4pnwhNf0PeFjReIk6fU++Um0D7pHiekNoY9X/9HcmblUsir Y6hvCDBLr7AUtQxAgn+aIKJwvwD1ioCCMB2p8dZ357gl4qNjbyPNf+K6Qw2LotjjaUnT MfFQ+Qly69hyAYX5AzxBBrcYYwl/2sd4B7pD4Wsxk5bgnu2x7+6IETTC6LbBMSYLak+i 2PE/bievh3IIDn7/pl6nJsssb9kOhvECVPHaRHXwEezHiHpUCdfOPg1hfCzGTv6rSMSu MO9/2il2uM77Vpvlv87KQYQHrCLs/HTI2uqcghZd/IfzzBQZVpn+bzx8BBRNqSy6Vklq g9XA==
X-Gm-Message-State: APf1xPBJ/iMvMkbIhvO3KRRPzh/vBcX3hOS4DeUMbP/lor0IP4hNO/ql OCkMrQLYN9vfIGiddPiQGY20KCu1ZOPm8GHZVLA=
X-Google-Smtp-Source: AG47ELt+ZeBVYpwjal/vugkstFfVR6wL60p5GFxtWaYJa4rg7Ux7gxzGL0FKN2/nnOd25nIL9viIzO0RSkdgZmNWHbI=
X-Received: by 10.202.64.131 with SMTP id n125mr12437864oia.26.1519841922117; Wed, 28 Feb 2018 10:18:42 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.5.5 with HTTP; Wed, 28 Feb 2018 10:18:41 -0800 (PST)
In-Reply-To: <33211538-1DA2-4B42-A3BD-A6AD248C907A@wire.com>
References: <CAKHUCzxOwmPrpUUj6HSRMcxiXtRmT05OapeBQdRA49bSWum6yQ@mail.gmail.com> <33211538-1DA2-4B42-A3BD-A6AD248C907A@wire.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 28 Feb 2018 13:18:41 -0500
X-Google-Sender-Auth: JLqu49zaFj1jV749mmv0JJTo46U
Message-ID: <CAMm+Lwioq6RtRm3pX=P44QgtAvkYvopS6KVbdn0bym2z_XJucw@mail.gmail.com>
To: Raphael Robert <raphael@wire.com>
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="001a113de014e1f519056649c582"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/ycvfjObu7ZjlshDMYJz-m4iibCY>
Subject: Re: [MLS] Use Cases for avoiding Forward Secrecy
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2018 18:18:44 -0000

​The scope of the proposal, you mean.

MLS is not chartered yet. We are discussing what the scope should be. It is
really inappropriate to assert that has been decided before we have met to
even discuss what the scope should be.​

Having been involved in the IPSEC effort and seen where the insistence on
'strong security guarantees' led there, I want to see every security
requirement backed by a use case. Because what happened with IPSEC was we
ended up with a protocol that did not work in the real world because it had
been intentionally designed to be hostile to NAT and did not address a long
list of real world security issues.


On Wed, Feb 28, 2018 at 12:31 PM, Raphael Robert <raphael@wire.com> wrote:

> Hi Dave,
>
> Mandatory retention and UX are valid points of course. The scope of MLS is
> however to provide strong security guarantees like FS on the other hand.
> Re-using the same encryption key is something applications that use MLS can
> on the layer above the messaging protocol: the “application layer”. This
> would allow application developers to take that decision independently for
> the specific use cases they want to cater for.
>
> Raphael
>
> > On 28 Feb 2018, at 18:14, Dave Cridland <dave@cridland.net> wrote:
> >
> > Hi folks,
> >
> > While I'm really pleased to see MLS, and I generally like the idea of
> > Forward Secrecy, there's a couple of use cases where it might be worth
> > avoiding. Feel free to correct me if these are in fact possible with
> > Forward Secrecy. Both these relate to archival access to past
> > messages:
> >
> > * UX - Some users (actually all of them) would like to be able to
> > install client software on a new device and have their historical
> > messages available to them. Most "business" messaging systems seem to
> > work this way, as well as a number of consumer-grade systems. The
> > nature of Forward Secrecy means that an archive would need to be held
> > on one device and re-sent to another through the network, which is
> > trickier to manage, and is reliant on multiple devices being online at
> > overlapping times. Alternately, the archival copy might be re-uploaded
> > to the server using a static encryption key, I suppose, which would
> > rather spoil the point.
> >
> > * Retention - Many business and government deployments have mandatory
> > retention requirements. An example is MIKEY-SAKKE, promoted in part by
> > the UK Government for its own communications, which uses mandatory key
> > escrow to keep an archived copy of the messages accessible to the
> > business units involved. An advantage of the SAKKE system is that it
> > allows the key escrow to be offline, limiting attack opportunities.
> >
> > Given the latter, for example, I could not use an MLS-based system to
> > discuss a tax problem with the authority, and since I'm unlikely to
> > have a SAKKE-based messaging client, I'm unlikely to have encrypted
> > messaging to my tax authority at all - which seems signficantly worse
> > than merely having no Forward Secrecy.
> >
> > None of this is to say that Forward Secrecy should be avoided
> > entirely, of course.
> >
> > Dave.
> >
> > _______________________________________________
> > MLS mailing list
> > MLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/mls
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email