Re: [saag] Revised version of draft-knodel-e2ee-definition
Mallory Knodel <mknodel@cdt.org> Fri, 12 May 2023 14:43 UTC
Return-Path: <mknodel@cdt.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C9EEC151B27 for <saag@ietfa.amsl.com>; Fri, 12 May 2023 07:43:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n6kS_Co0q5gh for <saag@ietfa.amsl.com>; Fri, 12 May 2023 07:43:22 -0700 (PDT)
Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 816D0C14CE31 for <saag@ietf.org>; Fri, 12 May 2023 07:43:22 -0700 (PDT)
Received: by mail-pf1-x436.google.com with SMTP id d2e1a72fcca58-6438d95f447so7063316b3a.3 for <saag@ietf.org>; Fri, 12 May 2023 07:43:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; t=1683902601; x=1686494601; h=in-reply-to:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=qFkFv6vgQqqhyv20+SydNUG4CHBIyYrg6AQDKnt9+sg=; b=kX0tSxJr3EFC9/tv+BniB5Hek7G1PxC6OUktmQOXt6gkYaK+wOMT1rZklhVaf66CQ2 +WPCz9ziSMFg/zDMozWIcLdc++UV6DdSNCVXcf4bF4ykPYFzKrDWgenfDsu+ixZoXMtO 4dqdOBHCva3JreKruGN4ttw9qHS9VWCSLAiD8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683902601; x=1686494601; h=in-reply-to:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=qFkFv6vgQqqhyv20+SydNUG4CHBIyYrg6AQDKnt9+sg=; b=iPCeGLHdcHuWqGUyNFW1ZCwipRvM6xFUlQP3wg13el9tfo3UTjyPfB51qX3VDEivuQ luYaEALgOCtiVedpeExQiczU3M/m3nAMsdyTL6S4hugsXsxAnKyw+tZjl6pSfCvd3ooM z/iAgQSAPlXQNxBl3yvAzGRvcLv4vife3VxRXHJAO6e2VkPQCCZYlyn0+coDdZFhX4UQ bV1tIkf83XHW47NCIftgbmYyc1eeYFaFxZ8RAe3YFwU2x2RxGXxUvtndPATer0cawo36 Vpvs0disDKguXTRj0dqyhQ+m/rE46RGGHdYhSKPeIaFWVRyLFwos5Vgtr+6lFkCOZ5wQ g8DA==
X-Gm-Message-State: AC+VfDwbxP04XDec9poicLxuLERRXmvvKU4bI+3qwe+O0ZueqGSU4Qqc o5rj7+eLrrujqsvd2PpFQ3gfw9jFwsRtz65c2Ms=
X-Google-Smtp-Source: ACHHUZ5T1rx6r51HsnJ77QtAv7lTfKRsAvWgEdd65BBiXXKCE4AWxku4PwdC+RI6pD8X9GjV3uKaBw==
X-Received: by 2002:a17:902:70ca:b0:19d:20a:a219 with SMTP id l10-20020a17090270ca00b0019d020aa219mr21750150plt.66.1683902601341; Fri, 12 May 2023 07:43:21 -0700 (PDT)
Received: from [172.20.4.237] ([134.204.1.199]) by smtp.gmail.com with ESMTPSA id 12-20020a170902c14c00b001add1ab9cc1sm3127778plj.199.2023.05.12.07.43.20 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 12 May 2023 07:43:20 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------zT8Gg8EC6SC755U0J07YmqJE"
Message-ID: <f600ada8-46bc-d716-9ff9-ae021b5cb0e9@cdt.org>
Date: Fri, 12 May 2023 10:43:19 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
Content-Language: en-US
To: Eliot Lear <lear@lear.ch>
Cc: IETF SAAG <saag@ietf.org>
References: <CAGL5yWb=5MomKHwNKiEDph3kjrcbvonaL2ZEytGpKeNk7A87sQ@mail.gmail.com> <CABcZeBOzzOU-HDb2hmzcCipgiVqB6gACQMfo9GJsTT7UNw+eOA@mail.gmail.com> <CAGL5yWZsFnV1eSrrT2-7yh=0VhwqyQJL-RaEU33M2P9S9_KF=g@mail.gmail.com> <CABcZeBMKx6pPwUaXy05dP9nOvNST0_zX46ChqvApKC__HL9ELA@mail.gmail.com> <17a053ac-2b91-7fa0-ef5a-01fde9d2599f@cdt.org> <7b26d659-07fb-a4ba-8052-c9c22e4f4b44@lear.ch>
From: Mallory Knodel <mknodel@cdt.org>
In-Reply-To: <7b26d659-07fb-a4ba-8052-c9c22e4f4b44@lear.ch>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/g2z1H9kWkwqnguzMPYc9kwD-MiE>
Subject: Re: [saag] Revised version of draft-knodel-e2ee-definition
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2023 14:43:27 -0000
Hi Eliot, On 5/12/23 3:39 AM, Eliot Lear wrote: > > I would recommend starting by *concisely* defining the term, > elaborating the properties, why they are important, and how protocol > designers can help. It's clear that there is not even agreement on > what e2ee should mean, and it's not yet even clear that the term is > the right one to use. Get consensus on all of this, and it seems to > me that you've done a good day's work. > > Systems aspects can be introduced, but only to support the above. > Introducing them in the definition or the properties is, I think, > counterproductive. > On the question of systems, of the options below it sounds like (3) would be your preference. -Mallory > Eliot > > On 11.05.23 13:37, Mallory Knodel wrote: >> >> Hi all, >> >> On the larger question of system versus protocol in this document, >> the following top post: >> >> I think we can resolve this in a few ways. >> >> 1) we keep the text as describing systems and achieve some high level >> of guidance that impacts closer to users >> >> 2) we revise the text to remove the systems framing, but sacrifice >> some of what we wanted to achieve in terms of addressing ambiguity in >> tradeoffs for implementers >> >> 3) we do a reorg of the text around (2) but add the systems >> considerations as a separate section. >> >> Because it was a deep discussion and intentional choice early on in >> the drafting, I think the authors and I are still partial to (1) and >> I would be happy to explain more about why. But I wanted to offer >> these (only, as I see it) options as a way forward in the hope of >> gathering feedback from folks about what would truly best reflect an >> IETF-consensus document on the question "what is e2ee"? >> >> Mille thanks, >> >> -Mallory >> >> On 4/23/23 7:02 PM, Eric Rescorla wrote: >>> On Fri, Apr 21, 2023 at 5:43 PM Eric Rescorla <ekr@rtfm.com> wrote: >>> >>> > > ---- >>> > > The basic mismatch I see in that respect is that the IETF designs >>> > > protocols and this document focuses on systems. >>> > >>> > >>> > I don't agree with that assessment. Section 3 is all about protocol >>> > properties. Yes protocol properties sometimes are the same or >>> > translate into system properties too. >>> >>> And if this document only consisted of Section 3, the >>> conversation would be different. But that's not the case. >>> >>> >>> > Section 4 is about user >>> > expectation, which again is the expectation the user has backed by how >>> > the protocols runs on the system. >>> >>> The issue here is that many of these properties are properties >>> of the system architecture, and not of the protocols that the >>> IETF is building, which can be used either in modes which >>> provide end-to-end security and in modes which do not, and >>> often in contexts where it's not possible for one endpoint >>> to determine which is which. >>> >>> >>> > If you look at discussion around >>> > draft-thomson-tls-keylogfile we are also very concerned on how the >>> > system will make use of this protocol/standard. >>> >>> Here and below where you cite 1984 and 7258, you seem to making some >>> process point about what is potentially in scope for IETF. But that's >>> not what I'm addressing here. Stipulating for the moment that this is >>> in scope for IETF, and putting aside the important differences between >>> 1984 and 7258, which (1) were *policy* statements about the IETF's >>> practices, which this is not and (2) were developed by the leadership, >>> not AD sponsored, my point is that this document isn't particularly >>> helpful in the task of the IETF which is primarily to design technical >>> specifications for protocols. >>> >>> The reason for this is as I indicated in the following passage from >>> my review: >>> >>> Based on the text in Section 2.4 and 3.1.1, I take it that the >>> position that this document takes is that only System 2 is E2E >>> secure >>> and that Systems 1 and 3 are not. While I agree that this is >>> true from >>> a systems level, it's not helpful in IETF, which concerns >>> itself with >>> designing protocols. >>> >>> To attempt to sharpen this point: many of the protocols that we are >>> designing here can be used *either* in modes which provide what this >>> document describes as E2EE or in modes where they do not. For example, >>> S/MIME can provde E2EE but if it's terminated at a Webmail server, it >>> most likely does not do so. However, this is an invisible difference >>> to the peer. There are numerous other examples, such as devices >>> which have monitoring systems on them. >>> >>> Much more useful is to think about protocols and protocol architectures >>> which are *compatible* with end-to-end encryption and those which are >>> not. For instance STARTTLS is not, and S/MIME is. That is actually >>> a useful guide to protocol design and analysis. However, trying to >>> define E2EE in a way that includes these exogenous factors is not, >>> because it elides that protocol level difference. >>> >>> >>> > > It seems that the wide view that this document takes really >>> interferes >>> > > with any plausible analysis of whether a given system is E2EE. >>> To take >>> > > a concrete example, imagine a messenger systems of type (2) above, >>> > > which, I think this document would think was E2EE. Now imagine it's >>> > > installed on a computer with extensive monitoring software which can >>> > > introspect into the memory of the client. As I understand S 4.4 and >>> > > 4.6, this document would say that that system no longer provided >>> E2EE. >>> > > That seems very unhelpful for the purpose of protocol or even >>> systems >>> > > design, in that a system that provides E2EE can no longer provide it >>> > > for reasons totally out of control of the system designers. >>> > >>> > >>> > I don't see the problem with describing this? Sure, we don't write in >>> > the NFS protocol that a compromised endpoint leads to a failure of >>> > encrypted network traffic, but we also don't tend to have MITM attacks >>> > against NFSv4 (or parental control, or anti-spam filtering, etc). I >>> > think it is the protocol context here of endusers' communication that >>> > brings this aspect more into scope for this specific class of >>> > protocols. >>> >>> I don't understand what point you are trying to make here. >>> >>> >>> >>> > > S 2.2 >>> > > I don't think the attempt to derive the definition of E2EE from >>> > > the end-to-end principle gets us very far. It's fine as a sort >>> > > of motivational concept, I suppose, but the problem here is you >>> > > are trying to define E2EE whereas the E2E principle kind of assumes >>> > > that the ends are well-known. >>> > >>> > >>> > I don't understand the point you are trying to make here? Can you >>> try and >>> > rephrase this? >>> >>> I don't think that it's productive to try to treat the end-to-end >>> argument as some kind of axiom that we derive the idea of >>> E2EE from. >>> >>> >>> > > The principle has evolved to an understanding that the >>> "network's job >>> > > is to transmit datagrams as efficiently and flexibly as >>> possible", >>> > > and the rest should be done at the ends. [RFC1958] This >>> principle >>> > > can also be extended to the design of applications itself. >>> > > [saltzer][RFC3724][RFC3238] >>> > >>> > > This text is especially problematic because every real E2EE >>> messaging >>> > > system I know does a huge amount of stuff in servers. Indeed, >>> > > what's common is to end-to-end encrypt data precisely to separate >>> > > it from the stuff the server operates on. >>> > >>> > >>> > I think the original text is talking about content, whereas you are >>> > referring more to metadata? >>> >>> I think you're overreading that text. Here is the entire sxn: >>> >>> The end-to-end principle is a core architectural guideline of the >>> Internet. [RFC3724] >>> >>> The principle has evolved to an understanding that the "network's job >>> is to transmit datagrams as efficiently and flexibly as possible", >>> and the rest should be done at the ends. [RFC1958] This principle >>> can also be extended to the design of applications itself. >>> [saltzer][RFC3724][RFC3238] >>> >>> Which part of this do you think confines the discussion to content? >>> >>> >>> > > S 2.4. >>> > > This section is very confusing because it glues together the >>> concepts >>> > > of protocol (in scope for IETF) with application (largely out of >>> scope >>> > > for IETF). See my comments above. >>> > >>> > >>> > I think the "glueing together" is exactly the important thing. Outside >>> > the IETF, there are those that conflate everything into protocol >>> > properties and pretend required features can always be part of the >>> > protocol (eg "exceptional access"). Therefor the document cannot >>> > escape talking about protocol vs systems. It is exactly to clarify the >>> > parts the IETF can and cannot work on because it is or is not at the >>> > protocol level. >>> > >>> > >>> > > S 3.1.1. >>> > > Confidentiality A system provides message confidentiality if >>> only >>> > > > the sender and intended recipient(s) can read the message >>> > > > plaintext, i.e. messages sent between participants can only be >>> > > > read by the agreed upon participants in the group and all >>> > > > participants share the identical group member list. >>> > >>> > > So if we are in a conversation protected with MLS, and I forward >>> > > a message to someone not in the group, then it's not E2EE? That >>> > > seems pretty obviously wrong. >>> > >>> > >>> > That would be taking the message outside the system. It is not >>> > different from you reading the message out loud over the PA >>> > system. This reasoning is a bit far fetched. >>> >>> I'm just reading the literal text here, which says: >>> >>> if only the sender and intended recipient(s) can read the message >>> plaintext >>> >>> Of course, this is a trivial observation but it's precisely this >>> kind of trivial observation/attack that makes writing exact >>> definitions so difficult (incidentally, this is a common problem >>> in formal protocol modelling). If this document is to claim >>> to provide a definition, then it needs to actually be exact >>> and take into account this kind of thing (this is part of why >>> I am advocating not doing so!). >>> >>> >>> > > Integrity A system provides message integrity when it guarantees >>> > > > that messages have not been modified in transit. If a >>> message has >>> > > > been modified, it must be detected in a reliable way by the >>> > > > recipient. >>> > >>> > > Authentication A system provides authentication if the >>> recipient and >>> > > > sender attest to each other's identities in relation to the >>> > > > contents of their communications. >>> > >>> > > What does "attest" mean? >>> > >>> > >>> > That both parties agree on what they deem trustworthy as a way to >>> > accept/confirm each other's identity. Which could be an openpgp key to >>> > a nickname or a government issued passport deemed fraud resistant. I >>> > assume the word "attest" is used exactly to leave the mutually >>> > acceptable methods out of scope. >>> >>> Well, attest usually has some indication that one claims something, >>> to another party, so I would choose a different word. >>> >>> >>> > > S 3.1.2. >>> > > Availability A system provides high availability if the user >>> is able >>> > > > to access the contents of the message (decrypt them) when >>> they so >>> > > > desire and potentially from more than one device. For >>> example, a >>> > > > message can arrive to a recipient even after they have been >>> > > > offline for a long time. Note that applications that use this >>> > > > feature often implement a threshold for this property: number or >>> > > > aggregate size of messages; or messages from a month ago can be >>> > > > read by a user that has been offline, but not messages from >>> a year >>> > > > ago. >>> > >>> > > Loss Resilience If a message is permanently lost by the network, >>> > > > sender(s) and/or recipient(s) should still be able to >>> communicate. >>> > >>> > > These are odd definitions and seem to be really tied to Instant >>> Messaging. >>> > > In particular, I would usually expect availability to be tied to >>> service >>> > > operational guarantees as much as protocols. How would you apply >>> thes >>> > > to (say) QUIC, where the considerations are totally different. >>> > >>> > >>> > As you described above yourself, a transport layer security protocol >>> > is not a full e2ee protocol. >>> >>> This isn't my position at all. A transport-layer security protocol >>> can be a full e2ee protocol in some contexts (e.g., DTLS-SRTP >>> when the endpoints are full clients talking directly to each other) >>> and not in other circumstances (e.g., DTLS-SRTP when the endpoints >>> are talking to an MTU). >>> >>> > >>> >>> > > Post-compromise security Post-compromise security is a security >>> > > > property that seeks to guarantee future confidentiality and >>> > > > integrity in the face of a passive end-point compromise (and >>> > > > consequently that communication sent post-compromise is >>> protected >>> > > > with the same security properties that existed before the >>> > > > compromise). It is usually achieved by adding new ephemeral key >>> > > > exchanges (new randomness) to the derivation of encryption/ >>> > > > decryption keys every 'x' amount of time or after 'n' messages >>> > > > sent. Note that post-compromise security is not met in the face >>> > > > of active attackers that compromise an end-point. >>> > >>> > > This doesn't seem strictly right. For instance, if I compromise an >>> > > endpoint and steal its keys but don't do a Key Update and then lose >>> > > access, then when that endpoint updates its keys, I will lose >>> access, >>> > > no? >>> > >>> > >>> > Right, but do you envision systems where an attacker only managed to >>> > steal session keys, but not the long term identity keys? >>> >>> It's in fact possible to provide PCS in these circumstances, though >>> we'd have to get into some detail on whether MLS (for instance) >>> does so. >>> >>> >>> > > Metadata obfuscation Digital communication inevitably >>> generates data >>> > > > other than the content of the communication itself, such as IP >>> > > > addresses, group memberships, and date and time of messages. To >>> > > > enhance the privacy and security of end-to-end encryption, steps >>> > > > should be taken to minimize metadata. Additional steps should be >>> > > > taken to prevent leakage such as hiding users' IP addresses, >>> > > > reducing non-routing metadata, and avoiding extraneous message >>> > > > headers. >>> > >>> > > This also seems like a very messaging-focused definition. For >>> instance, >>> > > it's not meaningful for QUIC to conceal IP addresses. >>> > >>> > >>> > See my comment above. I think of QUIC as a transport security >>> > mechanism only. If you mean a system based on mutually authenticated >>> > TLS with webpki based certificates using QUIC, I would probably agree >>> > with the current draft that such a system would not meet the minimum >>> > requirements of an e2ee protocol/system (because many CAs could forge >>> > new enduser identities) >>> >>> Putting aside the transport versus message question, which I addressed >>> above, this seems like a very surprising statement. Is your claim, >>> then, that S/MIME does not provide E2EE (ignoring the WebMail case) >>> because there are multiple cert providers? What system do you believe >>> currently provides E2EE? >>> >>> >>> >>> >>> > > Disappearing messages For confidential conversations, >>> deleting one- >>> > > > by-one sensitive messages typically depends on a level of >>> client- >>> > > > side security that is unsustainable. For example, endusers can >>> > > > still copy text or screenshot images outside the secured client >>> > > > application. A certain level of trust among users of the system >>> > > > is required. That said, features like "delete for me", "delete >>> > > > for everyone" or "disppearing messages" which is time based >>> > > > automated deletion of content do still provide a valuable >>> defense >>> > > > amongst trusted parties in the event of a compromise of a device >>> > > > of one of the participants. >>> > >>> > > This doesn't seem like a property of the encryption at all. It's >>> solely >>> > > an application feature. I think it's also important to note that >>> > > this is not really consistent with open protocols and >>> implementations. >>> > >>> > >>> > I commented on that similarly as well and suggested the quoted text >>> > above to make that point as well. The text does state now that it is >>> > limited to "trusted users" (aka the assumption people don't lie and >>> > skip deleting messages), and in the context of complying users, it >>> > still adds a level of security (eg i voluntarily delete old stuff, so >>> > if I am forced to unlock my phone at the airport, most content will no >>> > longer be on my phone). I think the above text does capture that >>> > properly. >>> >>> As I said, I think that this should make clear that in open systems >>> this is just a hope-based feature. >>> >>> >>> > > People have the right to data privacy as defined in international >>> > > human rights law, and within the right to free expression and >>> to hold >>> > > opinions is inferred the right to whisper, whether or not >>> they are >>> > > using digital communications or walking through a field. >>> > >>> > > I don't think that trying to root this in human rights law is >>> helpful. >>> > > That's not where people's expectations derive from. >>> > >>> > >>> > I do think human rights are those rights that people expect to have. >>> >>> Really? What fraction of messaging users do you think even know >>> what the UDHR is? >>> >>> >>> > > S 4.3, 4.4. >>> > > It's not clear to me that either of these match user expectations. >>> > > In particular, user's experience is that client software is wildly >>> > > insecure, and many users have the experience of having monitoring >>> > > software on their machines. I'm certainly not saying that either >>> > > of these situations is desirable, but they are common, even in >>> > > settings where people run messaging systems which in other >>> environments >>> > > would provide E2EE security by the definition here. >>> > >>> > >>> > I think there is an issue on the interpretation of "expected" >>> > here. While I "expect" security, I also expect "total failure of >>> > security". >>> >>> In that case, a better word than "expect" seems like it >>> would be helpful. >>> >>> -Ekr >>> >>> On Sat, Apr 22, 2023 at 9:19 AM Paul Wouters <paul.wouters@aiven.io> >>> wrote: >>> >>> [still speaking as an individual only] >>> >>> >>> On Fri, Apr 21, 2023 at 5:43 PM Eric Rescorla <ekr@rtfm.com> wrote: >>> >>> Document: draft-knodel-e2ee-definition-10.txt >>> >>> ---- >>> The basic mismatch I see in that respect is that the IETF >>> designs >>> protocols and this document focuses on systems. >>> >>> >>> I don't agree with that assessment. Section 3 is all about >>> protocol properties. Yes protocol properties sometimes are the >>> same or translate >>> into system properties too. Section 4 is about user expectation, >>> which again is the expectation the user has backed by how the >>> protocols runs >>> on the system. If you look at discussion around >>> draft-thomson-tls-keylogfile we are also very concerned on how >>> the system will make use of >>> this protocol/standard. >>> >>> Based on the text in Section 2.4 and 3.1.1, I take it that the >>> position that this document takes is that only System 2 is >>> E2E secure >>> and that Systems 1 and 3 are not. While I agree that this is >>> true from >>> a systems level, it's not helpful in IETF, which concerns >>> itself with >>> designing protocols. >>> >>> >>> The IETF does describe how to safely use protocols on systems. I >>> don't see >>> that as an issue myself that this is done here as well. >>> >>> Specifically, there is an important distinction between a >>> protocol >>> like MLS, which is *compatible* with a fully E2E system and >>> a protocol >>> like TLS, which is not--at least for messaging--though it >>> might be E2E >>> in other contexts. And because the IETF's job is to design >>> protocols, >>> having a definition which tends to elide that distinction >>> doesn't seem >>> very helpful for our purposes, though it might of course be >>> useful for >>> other purposes. >>> >>> >>> There are RFCs that explicitly talk about expectations on how to use >>> protocols or protocol elements. Think of RFC 1984 and RFC 7258. >>> Describing >>> the enduser expectations of a system is something that can be in >>> scope in >>> my view. >>> >>> ---- >>> >>> I would make two more points: >>> >>> The text here seems extremely focused on Instant Messaging-type >>> applications and doesn't fit well with other protocols, even >>> when they >>> provide end-to-end encryption. Either it should be scoped >>> down to >>> Messaging or it should be adjusted to be more broadly >>> applicable. >>> >>> >>> What other protocols does it not fit with? Wouldn't the same >>> apply to >>> video conferencing, audio streams, file exchange protocols, etc? Do >>> you have an example of a protocol that falls outside the scope of >>> this document? >>> >>> It seems that the wide view that this document takes really >>> interferes >>> with any plausible analysis of whether a given system is >>> E2EE. To take >>> a concrete example, imagine a messenger systems of type (2) >>> above, >>> which, I think this document would think was E2EE. Now >>> imagine it's >>> installed on a computer with extensive monitoring software >>> which can >>> introspect into the memory of the client. As I understand S >>> 4.4 and >>> 4.6, this document would say that that system no longer >>> provided E2EE. >>> That seems very unhelpful for the purpose of protocol or >>> even systems >>> design, in that a system that provides E2EE can no longer >>> provide it >>> for reasons totally out of control of the system designers. >>> >>> >>> I don't see the problem with describing this? Sure, we don't >>> write in the NFS >>> protocol that a compromised endpoint leads to a failure of >>> encrypted network traffic, >>> but we also don't tend to have MITM attacks against NFSv4 (or >>> parental control, or >>> anti-spam filtering, etc). I think it is the protocol context >>> here of endusers' communication >>> that brings this aspect more into scope for this specific class >>> of protocols. >>> >>> I don't think Informational drafts should be using 2119 language >>> like this. >>> >>> >>> That's a fair point. I agree that should be changed as well. >>> >>> S 2.2 >>> I don't think the attempt to derive the definition of E2EE from >>> the end-to-end principle gets us very far. It's fine as a sort >>> of motivational concept, I suppose, but the problem here is you >>> are trying to define E2EE whereas the E2E principle kind of >>> assumes >>> that the ends are well-known. >>> >>> >>> I don't understand the point you are trying to make here? Can >>> you try and >>> rephrase this? >>> >>> The principle has evolved to an understanding that the >>> "network's job >>> is to transmit datagrams as efficiently and flexibly as >>> possible", >>> and the rest should be done at the ends. [RFC1958] This >>> principle >>> can also be extended to the design of applications itself. >>> [saltzer][RFC3724][RFC3238] >>> >>> This text is especially problematic because every real E2EE >>> messaging >>> system I know does a huge amount of stuff in servers. Indeed, >>> what's common is to end-to-end encrypt data precisely to >>> separate >>> it from the stuff the server operates on. >>> >>> >>> I think the original text is talking about content, whereas you >>> are referring more >>> to metadata? >>> >>> S 2.3. >>> This whole second paragraph seems kind of irrelevant to >>> producing a >>> definition. While I disagree with MSJ about the role of >>> authentication >>> in such a definition, I think his text is otherwise much >>> crisper. >>> >>> >>> I'll leave it to the authors to integrate/replace based on the >>> list feedback. >>> >>> S 2.4. >>> This section is very confusing because it glues together the >>> concepts >>> of protocol (in scope for IETF) with application (largely >>> out of scope >>> for IETF). See my comments above. >>> >>> >>> I think the "glueing together" is exactly the important thing. >>> Outside the IETF, there >>> are those that conflate everything into protocol properties and >>> pretend required >>> features can always be part of the protocol (eg "exceptional >>> access"). Therefor the >>> document cannot escape talking about protocol vs systems. It is >>> exactly to clarify >>> the parts the IETF can and cannot work on because it is or is >>> not at the protocol level. >>> >>> >>> >>> S 3.1.1. >>> Confidentiality A system provides message >>> confidentiality if only >>> the sender and intended recipient(s) can read the message >>> plaintext, i.e. messages sent between participants can >>> only be >>> read by the agreed upon participants in the group and all >>> participants share the identical group member list. >>> >>> So if we are in a conversation protected with MLS, and I forward >>> a message to someone not in the group, then it's not E2EE? That >>> seems pretty obviously wrong. >>> >>> >>> That would be taking the message outside the system. It is not >>> different from >>> you reading the message out loud over the PA system. This >>> reasoning is a bit >>> far fetched. It's like me saying firefox doesn't support private >>> browsing because I can >>> take a photo or screenshot of the browser (even over your shoulder) >>> >>> Integrity A system provides message integrity when it >>> guarantees >>> that messages have not been modified in transit. If a >>> message has >>> been modified, it must be detected in a reliable way >>> by the >>> recipient. >>> >>> Authentication A system provides authentication if the >>> recipient and >>> sender attest to each other's identities in relation >>> to the >>> contents of their communications. >>> >>> What does "attest" mean? >>> >>> >>> That both parties agree on what they deem trustworthy as a way >>> to accept/confirm each other's identity. Which >>> could be an openpgp key to a nickname or a government issued >>> passport deemed fraud resistant. I assume the >>> word "attest" is used exactly to leave the mutually acceptable >>> methods out of scope. >>> >>> S 3.1.2. >>> Availability A system provides high availability if the >>> user is able >>> to access the contents of the message (decrypt them) >>> when they so >>> desire and potentially from more than one device. For >>> example, a >>> message can arrive to a recipient even after they have >>> been >>> offline for a long time. Note that applications that >>> use this >>> feature often implement a threshold for this property: >>> number or >>> aggregate size of messages; or messages from a month >>> ago can be >>> read by a user that has been offline, but not messages >>> from a year >>> ago. >>> >>> Loss Resilience If a message is permanently lost by the >>> network, >>> sender(s) and/or recipient(s) should still be able to >>> communicate. >>> >>> These are odd definitions and seem to be really tied to >>> Instant Messaging. >>> In particular, I would usually expect availability to be >>> tied to service >>> operational guarantees as much as protocols. How would you >>> apply thes >>> to (say) QUIC, where the considerations are totally different. >>> >>> >>> As you described above yourself, a transport layer security >>> protocol is not a full e2ee protocol. >>> >>> >>> Forward secrecy Forward secrecy is a security property >>> that prevents >>> attackers from decrypting encrypted data they have >>> previously >>> captured over a communication channel before the time of >>> compromise, if the attacker compromises one of the >>> endpoints. >>> Forward secrecy is usually achieved by regularly >>> deriving new >>> encryption/decryption keys, and destroying old keys >>> that are no >>> longer required to encrypt or decrypt messages. >>> >>> I agree with John Mattson that while this may not be >>> formally part of >>> a definition of E2EE, it's clearly a best practice for >>> encryption, >>> so framing it as optional is problematic. >>> >>> >>> Agreed. >>> >>> >>> Post-compromise security Post-compromise security is a >>> security >>> property that seeks to guarantee future >>> confidentiality and >>> integrity in the face of a passive end-point >>> compromise (and >>> consequently that communication sent post-compromise >>> is protected >>> with the same security properties that existed before the >>> compromise). It is usually achieved by adding new >>> ephemeral key >>> exchanges (new randomness) to the derivation of >>> encryption/ >>> decryption keys every 'x' amount of time or after 'n' >>> messages >>> sent. Note that post-compromise security is not met >>> in the face >>> of active attackers that compromise an end-point. >>> >>> This doesn't seem strictly right. For instance, if I >>> compromise an >>> endpoint and steal its keys but don't do a Key Update and >>> then lose >>> access, then when that endpoint updates its keys, I will >>> lose access, >>> no? >>> >>> >>> Right, but do you envision systems where an attacker only >>> managed to steal session keys, >>> but not the long term identity keys? These days that is very >>> unlikely to be the case, but I >>> do hope that in the future that would be more common (eg store >>> long term identity private >>> keys in hardware with no export capability) >>> >>> The text could be tweaked a bit to take these considerations >>> into account. >>> >>> Metadata obfuscation Digital communication inevitably >>> generates data >>> other than the content of the communication itself, >>> such as IP >>> addresses, group memberships, and date and time of >>> messages. To >>> enhance the privacy and security of end-to-end >>> encryption, steps >>> should be taken to minimize metadata. Additional steps >>> should be >>> taken to prevent leakage such as hiding users' IP >>> addresses, >>> reducing non-routing metadata, and avoiding extraneous >>> message >>> headers. >>> >>> This also seems like a very messaging-focused definition. >>> For instance, >>> it's not meaningful for QUIC to conceal IP addresses. >>> >>> >>> See my comment above. I think of QUIC as a transport security >>> mechanism only. If you mean >>> a system based on mutually authenticated TLS with webpki based >>> certificates using QUIC, I >>> would probably agree with the current draft that such a system >>> would not meet the minimum requirements >>> of an e2ee protocol/system (because many CAs could forge new >>> enduser identities) >>> >>> Disappearing messages For confidential conversations, >>> deleting one- >>> by-one sensitive messages typically depends on a level >>> of client- >>> side security that is unsustainable. For example, >>> endusers can >>> still copy text or screenshot images outside the >>> secured client >>> application. A certain level of trust among users of >>> the system >>> is required. That said, features like "delete for >>> me", "delete >>> for everyone" or "disppearing messages" which is time >>> based >>> automated deletion of content do still provide a >>> valuable defense >>> amongst trusted parties in the event of a compromise >>> of a device >>> of one of the participants. >>> >>> This doesn't seem like a property of the encryption at all. >>> It's solely >>> an application feature. I think it's also important to note that >>> this is not really consistent with open protocols and >>> implementations. >>> >>> >>> I commented on that similarly as well and suggested the quoted >>> text above to make that >>> point as well. The text does state now that it is limited to >>> "trusted users" (aka the assumption >>> people don't lie and skip deleting messages), and in the context >>> of complying users, it still adds >>> a level of security (eg i voluntarily delete old stuff, so if I >>> am forced to unlock my phone at the airport, >>> most content will no longer be on my phone). I think the above >>> text does capture that properly. >>> >>> S 3.2. >>> Below is a best effort list of the challenges currently >>> faced by >>> protocol designers of end-to-end encrypted systems. >>> Problems that >>> fall outside of this list are likely 1) unnecessary >>> feature requests >>> that negligibly, or do nothing to, achieve the aims of >>> end-to-end >>> encrypted systems, or are 2) in some way antithetical to >>> the goals of >>> end-to-end encrypted systems. >>> >>> This seems like a very strong statement. As a concrete >>> example, having >>> large scale e2ee video has a number of problems in terms of >>> working >>> out what should be encrypted, what the functions of the SFU >>> are, etc. >>> I don't think these fall into either (1) or (2). I would >>> just remove >>> this claim. >>> >>> >>> Fair. I'll leave that up to the authors to handle. >>> >>> >>> S 4. >>> I would make two broad points: >>> >>> 1. This whole section seems to really embody the conflation of >>> systems and protocols. >>> >>> >>> We discussed that earlier in this message already. >>> >>> 2. I think the assertions about user expectations here are very >>> strong. It's not clear to me these in fact are what users >>> expect (I have noted some such cases below). So I think this >>> needs to be rewritten. >>> >>> People have the right to data privacy as defined in >>> international >>> human rights law, and within the right to free expression >>> and to hold >>> opinions is inferred the right to whisper, whether or not >>> they are >>> using digital communications or walking through a field. >>> >>> I don't think that trying to root this in human rights law >>> is helpful. >>> That's not where people's expectations derive from. >>> >>> >>> I do think human rights are those rights that people expect to have. >>> >>> And the IETF >>> certainly shouldn't be making normative statements here >>> about whether >>> people have a "right to whisper" whatever that means. >>> >>> >>> I don't see why not to elaborate on the users' expectation being >>> grounded in some >>> pretty universal concepts but I personally have no strong >>> feelings about including the >>> sentence or leaving it out. >>> >>> >>> >>> S 4.2. >>> Like John Mattson, I find this sxn very confusing. Users may >>> in fact >>> think that the provider is trustworthy, but the whole point of >>> E2EE is to provide security even in the face of a largely >>> untrustworthy >>> provider. >>> >>> >>> Agreed, it should be fixed. >>> >>> >>> >>> >>> S 4.3, 4.4. >>> It's not clear to me that either of these match user >>> expectations. >>> In particular, user's experience is that client software is >>> wildly >>> insecure, and many users have the experience of having >>> monitoring >>> software on their machines. I'm certainly not saying that either >>> of these situations is desirable, but they are common, even in >>> settings where people run messaging systems which in other >>> environments >>> would provide E2EE security by the definition here. >>> >>> >>> I think there is an issue on the interpretation of "expected" >>> here. While I "expect" >>> security, I also expect "total failure of security". I expect >>> firefox to be a secure >>> browser but I'm expecting to see CVEs in the future too. >>> >>> Paul >>> >>> >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag >> -- >> Mallory Knodel >> CTO, Center for Democracy and Technology >> gpg fingerprint :: E3EB 63E0 65A3 B240 BCD9 B071 0C32 A271 BD3C C780 >> >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag -- Mallory Knodel CTO, Center for Democracy and Technology gpg fingerprint :: E3EB 63E0 65A3 B240 BCD9 B071 0C32 A271 BD3C C780
- [saag] Revised version of draft-knodel-e2ee-defin… Paul Wouters
- Re: [saag] Revised version of draft-knodel-e2ee-d… Alan DeKok
- Re: [saag] Revised version of draft-knodel-e2ee-d… Tony Rutkowski
- Re: [saag] Revised version of draft-knodel-e2ee-d… Alan DeKok
- Re: [saag] Revised version of draft-knodel-e2ee-d… John Mattsson
- Re: [saag] Revised version of draft-knodel-e2ee-d… Tony Rutkowski
- Re: [saag] Revised version of draft-knodel-e2ee-d… Alan DeKok
- Re: [saag] Revised version of draft-knodel-e2ee-d… Tony Rutkowski
- Re: [saag] Revised version of draft-knodel-e2ee-d… Alan DeKok
- Re: [saag] Revised version of draft-knodel-e2ee-d… Mallory Knodel
- Re: [saag] Revised version of draft-knodel-e2ee-d… Alan DeKok
- Re: [saag] Revised version of draft-knodel-e2ee-d… Black, David
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eliot Lear
- Re: [saag] Revised version of draft-knodel-e2ee-d… Mallory Knodel
- Re: [saag] Revised version of draft-knodel-e2ee-d… Black, David
- Re: [saag] Revised version of draft-knodel-e2ee-d… John Mattsson
- Re: [saag] Revised version of draft-knodel-e2ee-d… Alan DeKok
- Re: [saag] Revised version of draft-knodel-e2ee-d… Tony Rutkowski
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eliot Lear
- Re: [saag] Revised version of draft-knodel-e2ee-d… Ted Lemon
- Re: [saag] Revised version of draft-knodel-e2ee-d… Tony Rutkowski
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eliot Lear
- Re: [saag] Revised version of draft-knodel-e2ee-d… Michael StJohns
- Re: [saag] Revised version of draft-knodel-e2ee-d… Ted Lemon
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eric Rescorla
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eric Rescorla
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eric Rescorla
- Re: [saag] Revised version of draft-knodel-e2ee-d… Mallory Knodel
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eric Rescorla
- Re: [saag] Revised version of draft-knodel-e2ee-d… Peter Gutmann
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eliot Lear
- Re: [saag] Revised version of draft-knodel-e2ee-d… John Mattsson
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eliot Lear
- Re: [saag] Revised version of draft-knodel-e2ee-d… Paul Wouters
- Re: [saag] Revised version of draft-knodel-e2ee-d… Salz, Rich
- Re: [saag] Revised version of draft-knodel-e2ee-d… Paul Wouters
- Re: [saag] Revised version of draft-knodel-e2ee-d… Michael Richardson
- Re: [saag] Revised version of draft-knodel-e2ee-d… Michael Richardson
- Re: [saag] Revised version of draft-knodel-e2ee-d… Michael Richardson
- Re: [saag] Revised version of draft-knodel-e2ee-d… Salz, Rich
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eric Rescorla
- [saag] Scope of draft-knodel-e2ee-definition Black, David
- Re: [saag] Revised version of draft-knodel-e2ee-d… Antoine FRESSANCOURT
- Re: [saag] Revised version of draft-knodel-e2ee-d… Mallory Knodel
- Re: [saag] Revised version of draft-knodel-e2ee-d… Michael Richardson
- Re: [saag] Revised version of draft-knodel-e2ee-d… Mallory Knodel
- Re: [saag] Revised version of draft-knodel-e2ee-d… Michael Richardson
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eliot Lear
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eric Rescorla
- Re: [saag] Revised version of draft-knodel-e2ee-d… Mallory Knodel
- Re: [saag] Revised version of draft-knodel-e2ee-d… Mallory Knodel
- Re: [saag] Revised version of draft-knodel-e2ee-d… Mallory Knodel
- Re: [saag] Revised version of draft-knodel-e2ee-d… Eric Rescorla
- Re: [saag] Revised version of draft-knodel-e2ee-d… Christopher Wood
- Re: [saag] Revised version of draft-knodel-e2ee-d… Mallory Knodel
- Re: [saag] Revised version of draft-knodel-e2ee-d… Mallory Knodel
- Re: [saag] Scope of draft-knodel-e2ee-definition Mallory Knodel
- Re: [saag] Scope of draft-knodel-e2ee-definition Christopher Wood
- Re: [saag] Revised version of draft-knodel-e2ee-d… Christopher Wood
- Re: [saag] Revised version of draft-knodel-e2ee-d… Christopher Wood
- Re: [saag] Scope of draft-knodel-e2ee-definition Black, David
- Re: [saag] Revised version of draft-knodel-e2ee-d… Mallory Knodel
- Re: [saag] Revised version of draft-knodel-e2ee-d… Mallory Knodel
- Re: [saag] Revised version of draft-knodel-e2ee-d… Gurshabad Grover
- Re: [saag] Revised version of draft-knodel-e2ee-d… Black, David
- Re: [saag] Revised version of draft-knodel-e2ee-d… Gurshabad Grover
- Re: [saag] Revised version of draft-knodel-e2ee-d… Black, David