Re: [xmpp] comments on draft-miller-xmpp-e2e-06

[Matt Miller <mamille2@cisco.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Thank you very much for the feedback!

I'll incorporate your suggestions as soon as I can.

On 3/6/14, 3:12 PM, Carl Wallace wrote:
> Section 1 - This may be in the reqs draft, but seems worth stating
> here that some end points for a given recipient may share keys,
> some may use different keys, some may have no keys and some may not
> support encryption or signature verification at all.
> 

We did discuss reviving the e2e-reqs draft in the WG session on
Tuesday, but it would be important to include this.

> Section 3 - What should the sender do if some end points for a
> recipient indicate lack of support for encryption?  Are error
> responses helpful independent of confirmation that some end points
> support encryption?  Is the intent for messages to only be sent to
> end points that advertise support?

There is little (read: nothing) that can be said on what existing
"legacy" end-points ought to do.  I tried to say something on what
existing clients already do, to the best of my knowledge.  Many (most)
drop anything they don't understand, so getting errors could very well
be impossible unless the applications were specifically updated to
"anti-support" this specification.  It's also possible I'm missing the
point here, too (-:

The intention is not for the sending end-point to only send to other
supporting end-points.  Indeed, I want this to be compatible with
[CARBONS] and [MUC] where the possible.  To that end, most clients try
to do something if there is a body, and this document could suggest
that sending end-points include an appropriate generic "this message
is protected" body.

> 
> - Why not include an end point's key in its info results and enable
> return of the encrypted SMK (or even CEK) with the encrypted
> payload (to save a round trip).  Given a single message could
> trigger a number of requests for the SMK, the option to include the
> encrypted CEK in the payload may be worthwhile.  Including the
> encrypted CEK would help with storage too.

The encrypted CEK is included in each message with -06.

Including an encrypted SMK is a possibility, although I start to worry
about the size of the overall stanza.  If it's absolutely known that
the message will be delivered to a single end-point it shouldn't get
too large, but I am assuming that servers will start multiplexing chat
messages (a la [CARBONS]) which means the benefits of including the
encrypted SMK are unrealized if only there's only a single instance of
the encrypted SMK; including multiple SMKs can be very problematic
(e.g., many server deployments reject very large stanzas).

> 
> 
> - Why is the SID required to be unique for a {sender, recipient,
> SMK} tuple?  This would allow for the same SID to be used to name
> every SMK used with a recipient.  Suggest unique for each recipient
> (i.e., SMK's are uniquely identified by recipient+SID for a given
> sender).
> 

I'm not sure what you're trying to say here (it could be due to me
responding on the last day of an IETF meeting).  Can you provide an
example of what your concern here is?

> - Discuss how multiple recipients are handled

That is a very good point.  There is some text there, but it is fairly
weak.  I was considering a form of ASCII sequence diagram of the
general flow -- would that better help to explain things?

> 
> - s/optionallly/optionally
> 

Fixed in working copy.

> - It would be nice to have a summary of new state information the
> sender and recipient are required to manage (like SMKs) and
> significant new operations (like authorization of key requests
> where a given recipient may use a number of different public keys)

That is a very good suggestion.  Do you think you could provide some
text to get it started?

> 
> - Should include an example of a reply to an encrypted message. 
> Should/must the same SMK be used in replies?
> 

That is not a bad idea.  I'll look into it.

> - Is there any reason pre-placed SMK values cannot be used instead
> of SMK values retrieved automatically from the sender?
> 

Is there any additional concern here beyond the point a few above?

> Section 4 - How is the public key used to verify signatures
> published to the recipients?  If not included in the payload,
> should be available a la the SMK.  This would be useful, at a
> minimum, when the signer uses a certificate from a PKI the
> recipient trusts.
> 

These are good points, and it ought to be included.  The JWS structure
does allow for inclusion of the jwk (or jku, or x5c, or x5t, or x5u)
which would be the key used to sign the content.  I'll add more
clarity on this point.

> - s/Playload/payload
> 

Fixed in working copy.

> - Include some text indicating users MUST be able to determine if
> a message was authenticated
> 

That is a good point.

> - Should data be presented to the user when the timestamp is not 
> acceptable?  There are guidelines for invalid signatures, but not
> for unacceptable timestamps.  Same comment on 3.3.5 too.
> 

I have been hesitant on dictating what to display to users.  I don't
want to tie the hands of implementations, and it's rather difficult to
independently verify that a given implementation complies without some
sort of officiating body (which we definitely don't want).

> - May want to distinguish between successful authentication vs
> successful verification
> 

Noted.

> Section 5 - Should describe how the entity requesting a key gets
> the SID
> 

I thought I had said that in here, but I'll clarify it further.

> - Should make it more clear that a new CEK is generated in order
> to encrypt the SMK, then the CEK is encrypted under the public
> key.
> 

You have this reversed: the SMK is used to encrypt the CEK, and the
recipient's public key is used to encrypt the SMK.  It is completely
possible that I was not consistent here.

> Section 9 - The requirement for the sender to be online would seem
> like sufficient grounds for including encrypted CEKs in the
> payload.
> 

Encrypted CEKs are in the payload in -06.

> Section 11 - Offline storage may be another reason to include
> encrypted CEKs in a payload.  Perhaps the solution should be to
> encrypt for each of a recipient's known keys plus an SMK that could
> be used by end points using a different,
> not-yet-known-to-the-sender key.
> 

You mean encrypted SMKs here.

One idea that had been discussed outside the meeting was to try and
use [PEP] as a way to do this, but we didn't spend a lot of time
thinking about the mechanics and implications here.


> - Need to address authorization for SMK release.
> 

I have pretty much hand-waved over this part.  One idea that came to
light this week was to provide fingerprints for the recipients' public
keys, somehow.  Suggestions for improvements are welcome.

> - Include some guidance on SMK lifetime.

There is *some* guidance in section 11.2, but I admit it is rather
vague.  Could you provide more specific suggestions?


- -- 
- - m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

[CARBONS] XEP-0280: Message Carbons <
http://xmpp.org/extensions/xep-0280.html >
[MUC] XEP-0045: Multi-User Chat <
http://xmpp.org/extensions/xep-0045.html >
[PEP] XEP-0163: Personal Eventing Protocol <
http://xmpp.org/extensions/xep-0163.html >

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJTGawgAAoJEDWi+S0W7cO1Jo4H/R8AvTt1WBMIwvBD1U8JNBaP
M88uMewtHGoQ/NbizCPnNS8DTMQyMxs/z6w66WDBnNNuCFhjqgh5G4X7X9elnFzI
VezIMKsr5Jc6dlN/9jRgWdQtEuqqmuGKfMHaAoNdqph5pP+zWSx5yhMbcb/wN7Uu
6+JdY4GB9Yz3xBrwQTBZnkRqqTKKL34/WoX42j9Vy2JgFLyRMu3xoW6xg99622Ol
VJxXRs7X9uERB0Dn8xTW2NTnRIN82g4WZuuaJLOkGDFQaienaBwQTHhogjaHFcNv
aTCnQhipI8Io4gLdT3uFzn84oZDYhBCSGyclegAXesthI9gnO3I671YUfTJl9xo=
=G0xx
-----END PGP SIGNATURE-----