Internet Engineering Task Force Interim Meetings, 26 May 2021

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: MLS WG Interim Meeting, 2021-05-26

Description

MLS WG Interim Meeting, 2021-05-26

A

There you go all right, you can leave your video on if you want, and I just copy that from something else.

A

um This is the itf notewhale, um basically, uh rules and procedures and stuff for um um participating in the meeting a lot of it has to do with ipr. um Please, if you know something say something: basically, um some third-party artists acquired disclosures haven't made. uh um What else? Also, please be professional, all that good stuff? If you have any questions you can, you can ask the chairs.

A

And nick and I are here with sonic around there in the corner.

A

All right so without further ado, the administrative that we have. Let me try it right in the middle, um so we did the note well uh virtual blue sheets. They might be automatic, I'm not sure again, I'd appreciate if you could go to the kodi. We do need a note.

B

Taker I can take some notes.

A

I don't agree richard. I appreciate that. um uh I don't know that we actually use java this much in this session, but if there is somebody that's in jabber, if somebody does say something and would like to get it um spoken at the microphone or into the audio feel free to uh do that. For me, and I really appreciate it, um we got a couple of requests for things to work on.

A

I know that joel had a thing for improving entropy that we want to do at the beginning, because he's got a drop at the top of the hour. I know we have kind of outstanding issues that I think we're going to walk through um the github repo and the protocol, as well as the architecture. Draft karthik has a presentation that you'd like to talk about some informed suggestions and comments based on some implementations of f, sharp and then mallory asks for about five minutes to talk about the end definition.

A

Is there any um way you'd like to do this? Do we think I think we have to keep uh joel's first? The question is: should we move the karthik's presentation up to be in front of the protocol.

C

I would be in favor of that.

A

All right, I think that makes sense too, because then we can figure out how it goes from there. So I'll do that. um If there's any other topics, I think I think there's going to be a lot of topics that deal specifically with the protocol architecture drafts as we actually work through the github repo.

A

So I think things will just kind of pop up and the status we got a new draft of the architecture draft which is great um and we're going to continue to iterate on that um the ml protocol document is version 11 still, it's kind of the feature freeze and the federation draft has expired and we'll hope to get that kicked back off again.

A

Maybe after we get the protocol document kind of nailed down a little bit more, the timeline is still the same as last time. We're still kind of in this feature freezing analysis, um I'm hoping that we can get through the stuff that uh the set of suggestions and changes that we've got now, which may probably result I think in another working class call. But you know that's that's tbd,.

B

Sean, if I could comment just briefly on a couple of milestones or not milestones in progress, we've made it in implementation. um The mlspp and openmls teams have been doing a little bit of interrupt. Work um have made um some reasonable progress because we think we are interoperating on pretty much all of the test factors now and we just haven't gotten around to doing the actual protocol operations- that's kind of next verizon, so we are getting pretty close to um interoperability on draft 11 plus a couple of nits we found.

B

um So that's that's promising the implementation front, and then um I will just uh you know. uh I now mention here that we are getting pretty close to shipping, um not quite uh roughly draft 11 in webex. I think, is shipping to beta this week so exciting.

D

B

Running code out there, let's.

A

Cool all right um without further ado, let me switch over here to karthik slides, stop sharing those slides share. Another set of slides.

E

Are we doing me first or joel first.

F

Oh sorry, right! Yes, so I don't have slides for joel.

C

I don't really either and I'd also like to preface this by saying it's conrad and and me um so, okay, in fact uh so conrad, please feel free to um jump in at any time and say things help or if you feel like it, you can just lead. um Otherwise I would just sort of give the intuition behind what this um pull request does um sort of some pros some cons around doing it. This way um kind of addressing the main criticism.

C

I think that sort of came out on the mailing list, um I'm just putting both both arguments there. So that's that's my plan, so maybe one thing is this pr 467. This is 467.

A

All right, let me make sure to share that thing.

C

uh Okay, so paula, would you like to say stuff or should I just go ahead.

G

uh Sorry well to find the button mute. uh Yes, please go ahead I'll jump in. If I have something to say.

C

Okay, good well all right, so so here's the deal. um The idea is that um we want to introduce, with this pull request a couple of ways of hardening the protocol against situations where your operating system or your operating environment, whatever is giving you bad or no entropy or the adversary, is learning about your random. Your rng state and you know, there's different ways of saying the same thing really.

C

So what we're trying to do with this pull request is reduce the dependency of the protocol on getting bad good entropy from the operating system right um and so the way we do, that is by introducing the concept of an entropy pool, that's local, to a client, um and the way this pr is written is so that it doesn't break compatibility.

C

In other words, you could in principle, have one client that does this implements this pr and another one that doesn't, and they really could just they could just talk to each other. There's no problem, um so the benefits are reaped by any client that implements the pr. Essentially.

C

um So that's in terms of compatibility at the high level. How does this work? um Well? So a client, that's implementing this pr will have what would be called an entropy pool. It's it's really just a big stream. Okay, it's like whatever 256 bits or you went. I don't know I forgot what we call 32 bytes or something anyway. uh That's what the entropy pool is. Okay and the idea is there's two ways this.

C

This pool gathers entropy for the client and there's two sources of entropy that you mix into this pool and then every time the protocol needs entropy, because, basically because you're generating keys right, that's kind of the main times when you there's also these nonce uh sort of this non-thing that that's the other time. I think you need entropy so overall the way that the whole thing works is the client will periodically mix in entropy into this pool and it sort of it accumulates inside this pool and whenever the protocol says oh shoot.

C

I need entropy, because I got whatever sample a key. Then it extracts entropy from the pool okay. So that's sort of the overall way that this works um in terms of implementation. It's actually real. It's really quite simple, because it's just calling hkdf, that's, I don't think, there's anything more to it. You just call hkdf both when you're in entering when you're, inserting entropy absorbing it into your pool and when you're extracting entropy from your pool they're, both just hkdf calls with the right parameters.

C

Obviously, okay, so there's no new, crypto, primitives or anything uh being being introduced here um you can now in you can get entropy from two sources. um I think. Did we settle in the end on the terminology of internal external? Well, in any case, you can get entropy either from the outside of the whole mls session and everything which essentially means it's from your os or your crypto library or whatever you normally get your entropy from so that's one place.

C

The client can import entropy into the entropy pool, but the other place that's kind of more interesting. Maybe these to me personally um was this great idea, conrad, which is that you can also extract entropy from an existing session right. So if, if, whenever there's a commit right, we get a new application, key schedule and what this pr introduces is an extra a new secret that we derived off of this application key schedule, which you can then feed back into your entropy pool.

C

So the idea is this is a mechanism that allows one client who currently is in a state where their os is not providing them any entropy to refresh their entropy pool using entropy. That is essentially coming from other clients in a session via the session to this to this client right. So this this- and this is kind of important, because it's going to play into this discussion around whether we should be really doing this pr in this way or not.

C

So I think that's kind of the high level design connect. Is there anything I'm missing here from the high level.

G

um No, I think I think you covered it all pretty nicely. Maybe just one thing: the construction is essentially the same as the key schedule. So um really, if, if there's a bug in the construction, there's a bug in the key schedule- and it's really as simple as it can be- and it's also conceivable to not just include entropy from the os but also other sources, for example, I think for tls.

G

That was the proposal made that you could uh get uh entropy from by like signing a bit string using an hsm and then putting that into the pool. So essentially the pool is pretty open as to where the randomness can come from, so it can be extended in that way, um and also like. It should be noted that the the randomness that that the pool gets from the individual sessions is kind of a best effort approach, because uh essentially what it does. It gets a value from the key schedule and injects it into the pool.

G

So, of course, all the group members can get that same entropy, but it may be depending on your threat model. It's it's. If anything, it's a it's a net plus for the entropy at the local client.

G

Sorry yep, that was it.

C

Yeah, one thing that also I just uh I I think uh to add here is that um the whole thing is forward secure right, so uh both pcs and forward secure in the following sense.

C

If the adversary knows your current entropy pool, but you inject new entropy, even cumulatively, so little bits of entropy at a time, it builds up to a state where the adversary knows nothing about your entropy pools and now you're.

C

Getting good randomness, that's kind of pcs analogy here and the forward secrecy analogy is: if you extract a bunch of random randomness, so you're, basically generating a bunch of keys like new signing keys and new seeds for doing update paths and all that stuff and then after you've done that stuff, the adversary learns your entropy pool all that stuff you extracted is still secure. So that's like the foreign secrecy analogy here, so we get both forward secrecy and pcs on this whole entropy thing uh in line with what we expect from all our privacy guarantees.

C

So I wanted to kind of summarize my understanding of the pros and cons of doing things. This way, um uh let me start with the cons paraphrasing um so the arguments. I think that sort of the most cogent argument against doing this pr is that we're kind of introducing.

C

B

Anyone else lose joel.

G

Yep not hearing anything.

C

Okay, I don't know.

B

I think you're back now.

G

C

How far did you guys hear.

B

Oh you're, starting the cons.

C

Good cons, um so the I think the main con that that I've, I've seen or I've extracted from the discussion on the mailing list is that providing good entropy should be something that is the role of the environment that we're running our clients in whether you know the the operating system or the crypto library, or something like that, and so we're kind of mixing boundaries here by saying, oh well now also the mls implementation is also going to be in charge of managing entropy.

C

I think that was one argument against and another argument against was introducing more complexity.

C

I I feel, like the complexity argument, is relatively for me, relatively straightforward uh uh sort of to to to to counter, because in terms of actual implementation cost as combat was saying, I mean this. Is it's really very, very simple? It's a couple of extra calls to hkdf that mirror exactly the way already that our key schedule works.

C

um We don't introduce any new primitives. We have one extra variable, um so I'm hoping in terms of implementation complexity. That's not too big of a deal here, the caveat being you need to hook. Well, no, in fact, you don't so yeah. So basically, I think that's.

C

My point of view is the complexity of the implementation shouldn't be so much of a hurdle. um The more basic argument against is this idea that you know we should be not. We should just let the os deal with randomness now, maybe there's an argument to be made there. um I I'd like to sort of have my counterpoints to that argument. I'd like to state those here, uh the first being another principle of good design.

C

I think for security protocols for crypto protocols is to minimize our requirements on the environment in which our protocols operate right, and in this case one of the key requirements is good entropy and the exact notion of good is what we're discussing here and without this pr we need a very strong notion of good and with the pr we need a weaker notion of good entropy.

C

There can be phases where the os doesn't give you any good, entropy or very low, entropy or whatever, and with the pr you remain in secure sessions and without the pr you could end up in an insecure session right. So this is all one way to view what this pr is doing is to minimize the expectations of the environment that the mls session operates, that the client operates in better. That's one thing: the other argument against the separation between the other, you know who deals with entropy should be only the os or not.

C

Is this the fact that the pr allows you to pull in entropy from an existing session? This is something that I'm not sure how you would even go about implementing.

C

If you want to say, hey, I'm going to outsource all of this to the os or or my crypto live or whatever I don't see how the os is even going to do that, and if it is it's going to be, you know it's going to be involved, and maybe it involves like polling or or you need your client now to export every time that a commit happened in a session so that the os no knows okay. That means I need to pull entropy from the client to mix into the rng.

C

I don't think that that's really something people are going to do, which means that if we just say we're going to push this to the os, I feel like we're. Just not people are just not going to do this, we're just going to lose that security advantage which the pr gives us. So, even if we subscribe to the notion that it should be the os's job to handle entropy, it's still not clear to me how you go about implementing something that gives us the equivalent security properties that this does.

C

So, I think that's sort of my story at this point. I'm not sure if conrad has anything to add.

G

I think you've pretty much covered it.

A

So julian on this on this particular point, almost always what has happened in the ihf protocols? Is they point to rfc 4086 and they say good randomness is required and stop. So that's that's often what what gets done just just want to let you know.

C

H

So if I may, as I think this is actually a good idea, my concern is about specifying this in the current documents, because it's not really an mls specific thing.

H

So the the the part that takes in entropy from mls, like the fact that mls actually outputs some entropy to some mechanism is relevant, but in some sense the mechanism itself actually is not relevant to mls directly, it's more generic than that.

H

So when I, if I were to do this, what I would do is probably separate this from the protocol and say: oh the protocol. By the way, if you have such a mechanism available, please use it and specify that in something like a cfrg rfc, uh because this is the you know, it's like uh it's a it's a it's a mechanism that can be useful. Actually, I think it's very clever and we should probably have that somewhere, but you know it doesn't really make sense for it to be in mls right.

H

So I think we can do sort of this hybrid thing where we say in the in dml spec. Please uh use that stuff, but actually make the definition outside mls inside some cfrg specific draft, which can be reused by everybody else. um If that makes sense,.

C

It makes high-level sense. I think I would have a little bit of.

C

I would at least need help, let's say in understanding how you would specify in a separate draft how and when to extract entropy from an existing session, because that's the part that makes it hard for me to put this all on the outside and say that it's independent of mls, because I understand it's not.

H

C

H

H

Yeah, so I mean again: that's that that's pretty I mean I don't see too much problems there I mean if you have such a mechanism, you, you just output, some uh at some specific points in the mls protocol. You use the uh the key schedule to extract some entropy and give it to that that function, and you can do you can actually do it at any time right.

H

You don't care, because it's uh it's just a contribution, so you can do it anytime anywhere, like there's no specific reason to to constrain the protocol in using this at a specific time or anything.

H

um So I yeah, maybe nick you have like a good opinion since you've already worked on those problems um and as part of the cfrg I mean, do you think it's interesting to have it as part as a specific graph that cfrg that we can reuse for everything else so.

I

I would point you to rfc 8937, which is what we did at the r at the cfrg about this it. It covers the uh randomness improvements extracting from either symmetric, shared secret or a um asymmetric share secret. uh I don't think this covers everything that joel presented um joel presented the idea of having kind of an entry pool which is a little bit beyond this. This this covers just the. How do you safely take uh an existing secret and generate entropy from it?

I

uh So uh it may be possible to refactor this pr down to kind of the bare bones uh and and reference something like 8937 but um 89 37 has you know a proof that cass and whatnot have gone through uh to show that this is a valid mechanism for extracting entropy, so it could be worth referencing this, but um again it doesn't cover everything that joel presented.

A

Okay, so there's uh richard is reminding me: there's a list here with people being very polite and raising their hands. I don't know who got there first. So, let's just work from the top down from what I see so richard. Why don't you go first, then we'll do car thicker than raphael.

B

I I have a bit of a point of order here in that um the mls protocol draft is an interop specification and, as I think joelle mentioned at the beginning of his discussion, um this is something that doesn't affect it's kind of, not externally observable. It doesn't affect interoperability, it's purely about what an implementation does internally to make. You know greater or lesser demands on its platform's randomness.

B

um So while I think this, so I think where that points is just that this doesn't I I don't see this being a required uh component of the protocol. I think we can recommend it as something for implementations to do, but I don't think it rises. It's clearly not an interoperability requirement, and so I would hesitate to make it mandatory.

B

With regard to the cfrg question, this seems like a small enough thing that I might not go to the effort of spinning up a new draft, so I think my preferred outcome here would be to capture this as a recommendation, either in the protocol or architecture documents as an optional recommendation and just capture it in these. These draft these documents here.

C

E

uh Yeah, so I think my points have already been mostly covered, but I guess the my feeling when we formalize the spec is that the mls spec is has too much implementation detail already. In fact, I would like to remove some implementation specific detail from it and make it more kind of implementation diagnostic more like a protocol level. Spec would be ideal.

E

Actually so- and this is like richard was saying- I think it's a very useful thing, but I wonder if there is actually room for a third rfc in the in the in this working group, which actually is a list of implementation recommendations, because I think we have a bunch of them uh that are now starting to pollute a little bit the the rsc. I mean uh one of the concerns for examples that I brought up a little while ago with the hpke authors, which I felt had an impact on mls.

E

Is that uh the way we are doing uh the way we are using hpke in in mls, we in the worst case might be generating up to n or n minus one keys in a for every update, assuming a completely empty tree. uh For doing the hpk n minus one ephemeral keys and we have a result locally here, we can prove that, in fact, you don't need to do that. You can reuse the same ephemeral key for all the hpk's that you're doing in a single update.

E

Now you can't reuse it across updates, but in a single update you can, which will significantly reduce both the entropy needs of doing an update and the size of the update, because you can actually share the 32 bytes across all of the hpk ciphertext.

E

Now this breaks in some sense the abstraction of hpk, and so it's kind of not a great thing to do at this stage, because hpk is already pretty much standard. However, uh if you observe it a bit from a bit further away, this can be done by any implementation. As long as you have a nice proof that this is actually a a good way of implementing it of implementing mhpk multiple recipe and hpke, so this could be done in an implementation without breaking interoperability.

E

So, in a way I did not even propose it on the list, because I felt you know what this is the kind of thing that should go into an implementation recommendation section. We shouldn't, pollute the spec with something that actually doesn't need to be there, but it would be nice for an implementation to do it for efficiency purposes or in some cases like in this, in this particular pr for security purposes.

E

A

There are yeah so karthik just to be clear: there's no constraints on making um an implementation draft. Do we want another draft or to put a section in either one of these documents? There's no problem with that whatsoever.

A

E

And the last kind of point in some sense here is that, yes, there is this rfc at the cfrg, which seems to cover some things. It doesn't seem to allow us to add external entropy in as an entropy pool. It seems unfortunate, I mean it's sort of if it had been anticipated and so on, but I can totally imagine in a system that we should recommend that people that okay mls is an entropy source. It can actually produce entropy every epoch and we should use it and put it into a pool.

E

But maybe there are tls connections happening. Tls-13 connections happening in the same machine, and maybe the tls exporters could be a good entropy source too. Why should we restrict ourselves to mls? You know in a in a way this is a very powerful and useful construction which I think should mix an entropy from multiple sources and we should allow it to mix multiple sources to get the best possible entropy in this particular system.

A

Thanks raphael.

D

Yeah, my plans have been covered as well. I just wanted to add one more small thing: um roy you said that this would potentially allow us to have a different definition of what kind of quality of entropy we need for mls, and I don't think that that's entirely true, because in practice, when you bootstrap a client, what really happens is that that client needs to generate signature, keys first and then probably a bunch of key packages, and at that point you don't have any mls session. So you start with whatever entropy the system gives you.

D

Of course you can improve it over time, especially for key packages. You can, as you do updates, then you can profit from this entropy pool for signing keys. That really depends on whether the application rotates signing keys or not, um but for the initial phase it doesn't really lower the requirements you have with respect to the quality of what your operating system gives. You.

C

Yeah, I I also think for the initial phase. It doesn't it's. uh It helps in scenarios where you have entropy and then you lose entropy. I think that's more like the scenario where you can still expect security, despite having lost entropy and generating keys in this period, when you don't have entropy.

C

To be fair, it's a subtle difference between what the good that you need without the pr and the good that you need with pr. I completely agree: it's not a straightforward thing where you can just say: oh, I don't need entropy from the environment. That's not true. There are times where you still need, in particular the one you pointed out when you initialize.

C

If you can never generate a secret from the get-go, then you can't get secrecy in your session, which means also the entropy you import from your sessions will not be random for the adversary and so you're, not actually importing entropy. So you at some point need to be able to establish confidentiality, but after you've established confidentiality, you could lose entropy in your environment and you can still be.

C

You could still have privacy because you're getting entropy from your sessions and therefore perpetuating the secrecy of those sessions. Does that make sense.

D

Yeah yeah totally. I just uh want to make sure we're on the same page, but it doesn't solve the initial problem at all.

J

No, it's the initial problem. I agree.

A

Okay, so we seem to have drained the cue, so it sounds to me like everybody's, on board that thinks that this is important. The question is where to put it- and I um personally prefer that we actually keep the dot, keep this information somewhere in this document until we figure out another landing place for it as opposed to just kicking it out completely.

A

So is there some way that we can formulate this document this this information and put it in an appendix for now and refer to it and say you know we got to have random, you got to have good entropy, you can go here, but then you know rfc 4886 or um you know, or this other thing uh that's in the that's described in our appendix and then if we do actually get enough people to get their an implementation draft together that um it can be moved there, because I just don't, I don't think we should.

A

We should lose the information.

B

I I would be okay with that. If we were not trying to finalize this the protocol drafts, so I mean it's easy enough to spin up a new draft. I would say: let's just start up a new draft put it in there, um and then I mean, or even just like the pr will continue to exist, even if it's closed, um and so the text won't be there. um So I'm not worried about losing track of this of this proposal.

C

I really like the idea of an implementation draft to simplify a the protocol draft and b give implementers implementers a place to find all these all these sort of considerations. I think that that's a cool idea all.

A

Right, if that's, if that's, unless there's any objections, I'm sounds like a good plan for me.

G

So, just an understanding correctly, this would be something that's essentially in parallel to the architecture dock in the protocol dock, it would be a new document.

A

Yes, um so I was, I was thinking at one point that the architecture document would actually have some of these kind of implementation hands. But if we're not going to put those in there we're going to put more specific details in another document, we can just start another document start it just starts out as an individual draft, and then we have to do like the process of adopting it.

A

But where we say hey does everybody want to adopt it and then we we switch it over to a working group draft but yeah, but that's basically the.

H

Plan again, um if we are gonna, do that, uh why don't we do that in the cfrg group? I mean it's super useful. If we do it in some sense to me it's more like either we we just take it in the protocol document somewhere or we just. uh We need to do this right, it's not like who is it.

I

I think sean is suggesting something more general um in particular not specific to this. uh This randomness improvement strap, but just in a protocol implementation considerations, draft for mls in total, uh and then some of the protocol draft could be completely extracted as it as um karthik pointed out yeah. But you.

H

Know I'm exactly saying that I mean it doesn't prevent the other rights we. We can still do that for things like kartik mansion. We can have this implementation thing, but uh again I don't care in the end, if it's not used, if people have to point to the ml to an mls object, that's fine, but to me it makes more sense to have it at cfrg.

H

Even if we have to push it quickly, but you you are you I mean: do you think it's valuable or not nick, because if you tell me like cfrg doesn't care, then we should do that. We should have it in dms working group. If you tell me, cfrg is interested in doing that. Then we should.

I

I would I would find.

H

I

Unlikely that cfrg would be interested in an mls.

H

I

H

That's the information, so then we can, we can take it as a draft.

I

We have rafael waiting.

E

No, I think, rafael forgot to put his hand down.

D

uh I'm sorry just struggling with the ui here.

E

Yeah and just to clarify the proposal that I was making earlier was that I have a feeling that the various implementers of mls together have already got several things that they would like to document on the right way of doing various things, and we don't want to pollute the protocol document. So I suspect that we there is going to be quite enough for an implementation draft, uh including some of the pr's we'll discuss later. I think.

B

The one thing I.

H

B

um If, if we wanted to um have a smaller pr on the protocol document, just expressing the requirements um around entropy and saying you know this, this protocol does a lot of it requires a lot of entropy at various points um and produce can produce entropy that could be fed back into something like a pool. um I think that that would be a fine thing to have in security considerations.

G

Okay, it sounds like um we would want to. We should change them. The pr then or create a new pr with those security considerations, as you just detailed richard and then create a new document. I don't know how I don't know how I would go about it, but maybe somebody.

E

I can help with that.

G

And yeah thanks and then and then take that as as the place where we well put this pr as well as probably further uh prs and then, if, if there's interest in generalizing this approach and making it available for other protocols as well, um then we can still see if we want to do that later. On.

A

Fantastic all right, I'll move on to karthik's presentation, see if I can make this work. So do I share myself. uh I should be able to do this, and then you can just tell me when to when to proceed.

A

Don't even see the slides.

E

Yeah, I can see them. I think people should be able to see them too all right. So this is um work that you've been doing at indriya, uh and I wanted to give you a little bit of an update on where we are. We are going and stuff like that. It's a bit rambly! So I'm going to hard stop myself it's uh at the hour, let's say, and if we still have more time we can go, go over it at the end.

E

uh This is just some observations that we came up with and raised some questions, so we want to kind of uh bring it up with the group. So sean next slide, please all right. So what have you been doing? You've been very quiet for a while. uh So let's remind people that what in our group, what we've been trying to kind of answer is, can we give a security proof or a comprehensive model of mls as in something that is a proof that it works for all the details of the corner?

E

Cases of mls, including you know, at the byte level, so our approach has been. We've we've been trying to build and we have now built an executable, interoperable model of mls and star so to add to richard's notes about interop. We now have a third interrupting implementation, which also interrupts with openmls and passes the test vectors.

E

So that's cool uh and the idea was that we're going to define all the security goals using typed in variants and fstar prove not just security, but also functional correctness, so make sure that the parsing and everything is unambiguous and um uh the the state machines can be implemented correctly and so on, and so you have a finally a security proof at a byte level. Precision of what the spec actually says and of course that's. The last step which you are always interested in is where can we link this verified spec, which is executable?

E

So it's really like a reference implementation to an optimized implementation and see, and that's the kind of thing that we it was, was our approach. Okay, so next slide uh uh sean and what we did was well. uh We went quite far so we wrote a research report. uh It's on that url up there and benjamin uh finished his phd thesis.

E

This year, congratulations and it's it's in there too, and what it what we did there was we in in f-star, we wrote formal models of art, m-cam tree cam, with blanking, without blanking victory signatures with all three signatures, a whole bunch of these specs in in a star, and then we added a security model based on malicious insider, so that you could model double joint attacks, and I don't remove even on the the one that we discovered and how, when people join, and then we did inductive proofs from the streets to show that the secrecy invariant of mls holds in all these cases and so on.

E

So at least for the of course, it fails in certain cases if you allow insider attacks, and then you show that okay, if you have three signatures of a certain kind, it's satisfied.

E

So this was okay, but you're not entirely satisfied with this, because in order to actually formalize the notion of our secrecy and uh post-compromised secrecy, uh in fact, the existing models in extra were not adequate because they didn't actually allow us to speak very precisely about the trace and the sequence of events that were happening. So we ended up inspired by this development, actually doing a completely new symbolic verification framework in a star that can actually cleanly handle things like forward secrecy and pcs and so on, and that became its own beast.

E

It's a completely different project and completely new uh verification style, very different from anything you've seen before in the star or not seen before, and so we had to take a pause on this as a next slide shown.

E

So what we ended up doing was building a full verification framework called dystar for doing symbolic proofs in f-star. This is published at uh euro smp this year and the link is over there. You can go stare at it and what this is is a new framework for symbolically verifying cryptographic protocols and their implementations in a star.

E

Its design was heavily influenced by mls, but it's more applicable, more generally, of course, and it has its novel trace-based semantics which is built in so it's a completely new way of proving things in a star, and the nice thing is of course, since we're doing type checking the proofs are all modular. So, however, large the code gets, the proofs tend to be quite very, very much scalable and they're. All machine checked right and the soundness of this verification method itself was proved in a star.

E

This took us a long time to kind of do this, so we put mls on the side and we kind of developed a verification method, and then we have showed that it's generally applicable by applying it to signal noise, acme and so on, and then we came back to mls, okay, so next slide uh shown.

E

So this is what we've been doing for the last few months, so teophil wallace, who will speak in a little while there was a new phd student who joined the group and took the patent from from beijing and he. uh So what he's been doing is all three of us have been doing is to build an interoperable model of draft eleven and f stars. It's it's more or less complete.

E

Let's say it misses some features, but it passes all the test, vectors from open mls and it's it's modular in the sense that it's broken down into several sub protocols, and this is something you'll want to speak about in a minute and all the underlying cryptography uses specs from hecklestar and eventually we'll use actual verified code from star. So it's all built on on sound foundations and just to give you an idea right now. This spec is about 2000 lines of restaurant.

E

We think we might be able to keep it at that size, uh even as we go forward and finish all the corners. Okay it'll be about two thousand lines if you've started it. Of course, this is just a spec, but it's executable. It's testable, but it's a spec, so the next step is obviously to encode the security goals and prove them.

E

So we hope to take all the work that we did before um on art and mlhd game and so on and adapt it for this new model and do this proof, so that's going to be our task for the next few months and we hope to have something concrete released and both the implementation and the proof in uh in a few months. Okay, so that's that's where we are right now, so um uh for the the purpose of this talk is I'll.

E

Tell you where we are and to also give some feedback based on what we found during this formalization step. So there's four things we'd like to mention and time willing, whatever we can either mention them today or we can discuss them some of the time and I'm going to start by this idea of decomposing mls into sub protocols, which is what we did in our spec.

E

But then there is this note. We sent on the mailing list about optimizing, unmerged leaves and simplifying the key package, and there is a there's a fourth point about. Well. Why do we need free, math, anyway, kind of thing? Okay, so uh let's go ahead with decomposing. Mls next slide.

E

So when you try to uh write down the formal spec of mls, we we're kind of getting scared. Now because it's getting to be a pretty large protocol, uh I think it's not so easy to say I'm going to take a fragment of this protocol and prove it anymore, because the dependencies are all over the place and in a way it doesn't have to be that way.

E

Okay, so, but the way it has evolved is that we have added things and features, and so now there is a little bit of a monolithic thing going on in the current spec, which I'm hoping the next rewrite. We can, at least without changing anything technical. We can at least like separate out the components a little bit better without affecting the the technical details of the protocol. So the way mls has evolved is that well it's doing dynamic group membership, but it's also doing group key distribution.

E

It's doing application data encryption and then there are exceptional features for preventing insider attacks and some optimizations like converge leaves- and all of these are like mixed together in the ratchet tree, and this makes it pretty hard to specify and to prove so. Here's next slides shown so here's a decomposition that we are using in our spec and we wonder if this is not more useful generally, so I think mls naturally breaks down into three sub protocols which I'm calling tree sync tree. Chem and freedom.

E

Freesync is basically the protocol. The sub protocol that manages the group membership and synchronizes the group across various parties and.

H

E

Spec actually talks about tree synchronization separately, but if you think about it, the street synchronization protocol does not need to care at all about what is the content that is stored in each node in each leaf. The fact that they are public keys or cipher tags, or whatever is actually not important. All we are trying to do is replicate this data structure across all group members and keep them synchronized.

E

So we need tree agreement and authenticity.

E

It's a three shaped data structure that we are synchronizing, that's for sure, and we need signatures three signatures actually to make sure that everybody is synchronized and we need some kind of hashing for the parent, hashing and so on, but really the encryption, the secrecy of of tree keys and so on does not really matter for this protocol, and a big chunk of the mls draft is actually doing presync the way it's written, it's interspersed with all the secrecy and and the cipher text and encryption, but really it can be separated out in our spec.

E

We have separated out this part completely from uh from tree chem.

E

The second part which I'm calling tree chem is actually the protocol that uses trees to distribute keys, and here you can assume that there is actually a tree which has been correctly uh synchronized across all nodes, and all we are doing is using the key structure to create updates for uh the node secrets and to encrypt the node secrets to different people.

E

Okay, and so this is the protocol that ensures fs and pcs for the node secrets, epoch, secretary secrets and so on, and this needs to use hpk and kdf, but this doesn't really need to use any signatures or ead or any of that stuff right and the third part which we call message framing, I guess in the in the spec or application data protection is street m is what you're calling treatment. It's nothing surprising.

E

Once you have the epoch secret, then you can derive keys for encrypting each message, and so this is taking care of the application data encryption protocol. So all three of these are tree based protocols. They all share the commentary data structure, but they are really trying to do very different things and it's by collapsing them all into one ratchet tree or in one conceptual space. I think we are kind of confusing things and making proofs and harder and the properties harder to understand so uh so this is how we have structured our our spec.

E

We are separating out these three components and there are benefits to this. So suppose you take the tree cam protocol or whatever the mls protocol, and you separate out this tree sync component. What are the benefits? Well, treesync. Doesn't care about encryption at all? Doesn't care about anything. Nothing is secret. Interesting everything is public data structure, okay. Well, we could and we could think of it as not being public in the sense of privacy, but really for for the security guarantees of mls. It's all public data structures. There's no key derivation, there's no secrecy.

E

There's no encryption! You can express the create, add, remove operations directly in freesync for update. You can still express update, but the contents of the update are opaque, byte strings they're, not uh they're, not cipher text they're, not public keys, is opaque by string from the viewpoint of tracing you're. Just updating a path in the tree you can even express the notion of unmerged leaves parent hashes. All of this doesn't require any consideration of uh of key derivation, okay of how the keys work.

E

Instead, what you do is you focus on this in protecting the integrity and authenticity of this tree data structure against both outsiders and insiders. You can actually state what the double join attack means directly on the treesync protocol, without even thinking about uh hpke encryption secretary secretary, you don't even have to think about it.

E

The double joint protocol can directly be expressed on the treesync protocol and, if you think very at a high level, what is nice is that in the mls spec, we already have a good understanding of what treecam is supposed to achieve, which is a secrecy invariant that we state in the spec. But in fact, treesync has an equally nice property, which is an authentication invariant that it enforces.

E

So what is the authentication in variant of presync, which is it is that the content that you have at any non-blank node m must have been written by one of the members under this node. So it's a right policy that we have here, not a read policy. So we say that this content, we don't care what the content is it's opaque, but this content should have been authored in some update by uh one of the leaves underneath this node okay and so, which means that basically, every update is signed.

E

You must have to check the signature and you have to rely on tree signing for the joiners in order to get this kind of guarantee, and you obviously have the property that since you've checked the signatures, if the the member who signed this particular node was honest at the time at which it signed this node or at the time you verified the signature, then you get the guarantee that the subtree at that node at that member is the same as the subtree in your local tree.

E

So you have this nice integrity, authentication property that you can have based on just this resync protocol. Okay, next slide shown.

E

Conversely, there is also benefits to trees tree cam. Once you remove the tree sink part of it, it actually becomes very simple. Okay, all your all tree, cam is doing, is sort of like the original art paper already had this idea, but the original art paper was only doing key distribution, didn't worry about signatures and so on, and this this is what you get out of tree cam.

E

You basically get to do just updates and treat a key key derivation for each node and and that's it and you of course manage the transcripts and so on. Maybe, but but you can actually remove a lot of the tree management stuff out. Okay, we don't care about signatures. Authentication, parent hash is not part of trick, and you don't have to worry about any of that. Instead, you just focus on key derivation and you think about it.

E

You what cam is doing is enforcing the read access control policy, which is already documented in the mls spec, which is a tree secrecy invariant that the node secret in any non-blank node can only be read by one of the members underneath it okay. So uh so that's sort of it's there's benefits to both sides by kind of factoring these out, at least in the specification next slide.

E

All right, so what did we do? We kind of divided up the protocol into these three parts and you find that they get kind of quite equally separate out. So three sync and f-star is about 400 lines. Streak is about 350 lines. Three, damn will be about 200 to 250 lines. We haven't completed the freedom part, but we did most of it and we expect that these can also be because we have separated out the crypto components.

E

You separate out the security goals we expected the security proofs will also be quite modular, but this is something that we are working on now. I cannot promise it, but that's uh that's the idea.

E

um My question, I guess for this part of the of the of the development- is that we can either take this what I've said so far in two ways: one. Maybe this is a good way for implementations to structure themselves and something like a recommendation of decomposing. The protocol into these sub protocols should be part of something like an implementation document.

E

Alternatively, maybe this also points away as to maybe we should rewrite a little bit or restructure or the the mls protocol rfc in a way that makes this separation a little bit more explicit would be. May perhaps uh a nice thing to do, and I don't know I don't know what? What without change, because none of what I have said right now is actually changing the spec. It's mostly about how to separate out the different components of it.

E

There is, of course, an issue which is that not the separation is always not not always super clean. I pretended that it was, but in fact there's at least one or two places where separating our tracing and tree cam was a bit of a pain, and one of them is the parent hash construction, because the parent hash construction currently depends on the tree resolution of the sibling. So it actually tree resolution for us belongs in tree. Cam and parent hash belongs in tree sync, so this separation was a cause.

E

Some is causing some ugliness in our specs, but if we accept that this is actually a worthwhile separation to have, then it's not so hard to to remove this kind of a dependency for very specific uh components for parent hash. Instead of using the tree resolution of the sibling, I think we could use a tree hash on the sibling, for example, and that would kind of break this dependency, but that's only worth it if we decide that even in the protocol, maintaining the separation is a worthwhile idea.

E

So I'm going to stop now and take some questions. We have a few more things to discuss, but we could do them later, uh depending on what you all right, joelle.

C

Has his hand up first, I I just have a it's a really short question. There was a couple slides back. We were talking about treesync um you you had this comment that uh double joins can be demonstrated on treesync legendary yeah. What does that mean? Because to me double join is also it's mainly a privacy thing and I'm understanding is true. Sync doesn't deal with privacy.

E

How do I interpret that sentence exactly so? I think you interpret it as double join. What it's doing is actually violating the tree. Authentication, invariant, okay, and, as a corollary of that, then it violates the privacy of um of uh of the of the of the keys at that node. But that's that's a separate point.

E

The first thing it violates is actually the authentication variant because it says that somebody who's not at a particular node is able to so at a particular leaf is able to get control over the over the contents that you are writing on that leaf and on its parents.

E

So yeah, that's what I mean by that, so it's demonstrable as a so. Let's see, let me put it this way. Double join already violates the properties you would state for trasic. I'm not saying that the attack, which results from double joint is demonstrable in precinct.

E

That makes sense.

C

Yeah, the other comment I had is uh well. We I'm super love to see this in in more detail the street this this, how you, how you guys, define these three modules- we've been matt and I've been working on on uh some modularization ourselves, and I'm hopeful that, at the very high level that I've understood from the slides, I think it should work in the proofs too. We're we're because we're also ending up in not completely different way of modularizing things and we're actually doing it for the purpose of proofs.

C

So it sounds to me like this is the very natural breakdown I think and yeah? Yes,.

E

Joel so we have been highly inspired by the series of papers, you've written as well, and we've been looking at the proofs, for example, for the insider tax paper and saying well, could you have done this kind of proof without worrying about you know some aspect of the protocol? Could you remove suspicious particular protocol and still do the proof and that's the kind of thing I mean looking at your work is what is also inspiring that maybe some modularization would help in in doing the full big beast in the end. You know.

J

Yeah I'm happy someone's reading.

A

All right, that's it for hands, as I think uh benjamin let's hand it for a second. Then you put it down richard nope, all right. Someone threw something down in the chat.

C

Right right, I guess.

B

C

Sorry, just just one because you you said at the end about you, propose this idea of um even rewriting the spec in a more modular form.

C

If we were to start from scratch, I would say absolutely that's the way to go because of how complicated things are. At this point, I'm not half as sure just because.

H

C

Like that would be quite a big freaking job, that would be a big freaking change, um so.

E

um uh I agree I mean it's uh it's uh the spec is has evolved in the way it has evolved and there's a lot of text and 80 pages of text in there so and multiple implementations already.

E

So uh at this stage, I guess the the best one could hope for is to have the conceptual uh components described in the introductory text and maybe use uh some kind of terminology to cleanly separate out the the section headings. Basically, that's basically at most, I think you can do and if there are some subsections, that should become full sections or whatever this kind of change is not really a full rewrite is inconceivable. I think.

B

That seems right, like laying out this as a conceptual map for people to understand the more detailed stuff. That's in there right now uh seems like a fine thing to do either kind of in the top part of the protocol spec or in the architecture spec.

E

Because if you think about it, we already do this with the ratchet tree description, where we don't really see exactly how it is to be how it is specified. We actually say this is the conceptual ratchet tree. What I'm showing here is actually saying that the ratchet tree is actually three trees and they are for different purposes, and you know what we are explaining in the in the spec.

E

Right now is the mix of tree sync and tree cam, and maybe we could just separate it out a little bit in that introductory part without changing any of the mandatory parts. Later, let's see.

H

I think it would be up to. I think uh I think he left richard, but I I think I'm I would be game to take a crack at it uh like do a minimal change thing, which would be basically just a rewrite of those sections in a light way, but just to speed it.

H

I don't mind, I don't mind doing that work. Actually, so maybe if that would I mean if that works for you, when I can submit the pr in the next few weeks um to try to do this.

H

Rafael, what do you think.

D

Yeah, I mean from a practical point of view, we still have a bunch of open questions on the current specs, so um I mean it's great if you want to start a rewrite, but we will be struggling with addressing the open questions, because I think we will not address all of them today. So keep that in mind um at some point uh you know if your rewrite is successful in the sense that we all agree that we shouldn't switch to that.

H

Yeah, that's one more step to consider so I'll. uh We can really discuss when to do that, though, whether we want to do it after all before we handle the other stuff, but uh if we are gonna, if we are gonna attempt to do something like this, I will take that uh appear.

E

Okay, so sean, I promise to stop at the top of the hour and I think, there's a bunch of pr issues to go through. Yes, so maybe we split now we can we go on to the other two topics and if there is some time left at the end, uh theofield could address uh could discuss some of the other suggestions. That came out of our analysis. I.

A

Think that'll work and thank you for being relatively on time. You're taking questions all right. So let me stop sharing this so then the question is um uh protocol or architecture document I feel like we should probably do protocol first. Can you lead that discussion, raphael.

D

um Sure, on the other hand, I think richard is going to join again.

A

He is going to join again later, so maybe we could do architecture so.

D

Yeah, in that sense, architecture would be more appropriate now. I guess all right.

H

Sure um so I mean there are not too much we can. If you can share screen uh shown about the the issues there are not too many uh issues left.

H

So we did a bunch of big rewrites for the last architectural draft, where we handled a lot of the comments that were already there.

H

So there are only a few uh remaining topics that we want to to to handle for that. For that document plus the few there are very few open issues in the documents, but there is, there is still a lot of contributions that that people want to make. So the main, I think thing that we have to improve on the document is the expected type of deployments.

H

So the thing that was suggested by brandon um it, basically it basically like the idea- is just to give a few of the possible kind of deployments and describe them a bit a bit more thoroughly in the draft. So it because you know you have so many kind of different deployments.

H

Making the language agnostic for the deployment is quite difficult, so conrad britain has actually made some suggestions on and contributions on, prs where they suggested. Some changes to make sure that we say, for instance, that the authentication service uh provides certain properties such as uh credential authentication, message, authentication and actually like uh give a bit more detail and the the the rest of the draft is like. There is a huge fraction that has not been there before about uh security considerations, where the idea is to go from the smallest compromise to the biggest compromise.

H

So in some sense like what happens, if you compromise an hpk, what are the guarantees that the protocol should aim at? If you break you know uh the secrecy of the signature, private key when you get et cetera and I grow and grow and grow with stronger, stronger attackers up to the point where you get a full uh full state compromise for for for one of your clients and what are the consequences? And things like this?

H

um So there are really those two parts like the functional requirement parts and the security, and this part, because rita and conrad are actually chatting a few pull requests on this to to kickstart. The the things that they they actually think is not as good as the as it should be.

H

But globally most I I believe that most of the content is already there and then there is this pr for the functional side of this pr from this issue from london um to describe more like the the general architecture or designs that that can uh that can happen. um So this one, I will probably need help.

H

I asked uh I will ask: I will discuss this with brandon right. I thought he would join, but um I will discuss this with with brandon, but any help here in terms of what we want from the document. Generally, I mean for the entire document.

H

What we really want is to have contributions, issues opened on what you think is missing from the document, uh so we under like most of them, have been already handled. Many of them have been handled, but uh you know we have a lot more things to actually say in that document uh that we can like. We have infinite topics in some sense, so if you think that there is something missing or that there is something incorrect, that's the value uh for the architecture document right now.

H

So just like reading the document and opening an issue of this is wrong. I don't think that's correct, or I think we should discuss this, um because everything that we had listed before is sort of handled now, except for a few open issues in the document.

H

H

Yeah, it's going pretty well, uh I don't see the document particularly late or lacking behind the protocol document.

H

But I think now I think the the best thing is just to have more readers and like open issues. That's the that's the valuable thing to do here.

A

So yeah yeah, because this document is going to be very important to help get the prototype protocol document through the isg. So I don't know how everybody else sees this, but I see these two documents going at the same time.

H

Yeah they should be. You should go at the same time, so.

A

H

The real need is for people to actually read it.

H

If you see what I mean and open issues, that's fine.

A

Are there any of these particular issues that you think we need to go through now.

H

No not specifically, and most of the issues are usually editorial, so so there is one which might be interesting that we never discussed. Actually we discussed it at the very beginning of the of the working group is whether we should actually provide recommendations for key updates in terms of amount of time, I'm pretty much against it, because it's very difficult, depending on the use case and the infrastructure and the device on which you run the protocol to to ask or to require any kind of specific time frame for commit for making commits.

H

So I would pretty much say so. The way we tackle this for now in the document is that we say that if you don't update frequently if a compromise happen here is what's happening, but we don't uh we don't say you know you should update every 12 hours and I don't think we should really do it.

H

um So I'm I'm looking for inputs here. What are opinions on? I don't think we can actually because of the different use cases that we have. We have so many different use cases that I'm not sure it makes sense, but.

A

So this is separate from like the kind of key update things that quick and tls have provided right. This is this is about um so.

H

This is basically commit.

A

Yeah, it's not.

H

Basically, what commits.

C

My take is, I would be hesitant to make any recommendations about, commits and updates, because there's just so much flexibility and so many different ways. You can do that and so many different constraints and everything.

C

I can hardly imagine anything more useful to say than do it as much as you can afford to for the devices that are at greatest risk or something like that very vague. That.

E

Makes sense to me.

H

um Yeah exactly.

D

H

Well, okay, so if, if most people agree, there is nothing I mean you should probably close that thing and I will phrase it exactly as we discussed like we should make it as as often as possible, but I don't think there is any specific things that we can recommend. Otherwise, so.

G

Yeah, I think the best we can do is have the reader enable the reader to make an informed choice and give a vague recommendation and inform choice. That just means that we should be specific about the security that we get from doing an update and yeah the reader.

H

That would be, uh that would already be in the documents, especially in the compromise scenarios.

H

All right go on one: okay going twice sold, so I guess you can close it, but yeah really. What we need now is more readers, more readers and opening issues to make sure that, basically, the concern that we have is to make sure that when we go to last call or something like this, we don't miss too much uh things that we want to discuss things that we that we think might be important to discuss.

H

If we achieve that goal, I mean I'm pretty happy with the. I will be pretty happy at the document after like a few editorial paths and things like this, so it's um in terms of content. I think we already hate a lot of different uh things that were tested to discuss.

A

Okay, I closed the closed it and um put a comment in okie dokie. So now we can. uh Let's jump over to the end to end um discussion is mallory here.

K

Hey yep, I'm here um I prepared like a few short slides, but I don't have to use them. I don't know if I'm able to share my screen, but.

A

You can, if you want, if you, um if you you can just, I think you can just grab share and go with it. I mean I'd appreciate if you could just send me them afterwards. I.

K

Would love to do that all right cool it was an afterthought, so that works okay um that should be working now. Does it work now well, yep.

A

We're seeing them.

K

Great yeah, thanks for your time today, um there's a draft in the data tracker. um It's right now on its own, no working group, um but I did send it to you all on the list. Maybe a couple weeks ago. The title is definition of end encryption. um Some of you have seen this um and initially before it was in the data tracker I asked around about.

K

You know where's the best place in the iecf for this, um and I think the reason why I sent the one and so the oh, the the original version was just that it appears there. May it may actually be applicable because we're not just talking about messaging apps, there's lots of applications for what protocol you are all designing, so I think it actually fits. So let me get into it. um I'm co-authoring, with fred baker, olaf, kolkman sophia who's, a contributor to this working group and gershabad grover.

K

The goal of it is quite simple: we just want to define it, um there's no real! There's.

H

K

Really good drafts out there that use end encryption and therefore have done an elegant job of describing what is it in their context? But there's nothing. That's really. Overall, I feel like there's, that's like a nice big gap in the ietf, um so the outcomes we're hoping for with this draft um we're seeing definition creep in mostly like public relations and like political debates, things being called into end encryption that are not um just straight up. uh It's not great.

K

So we also want this to be a helpful place to put things that maybe don't as easily fit in the architecture of the protocol draft um as a way of sort of offloading sort of long-winded, conceptual definitions of things, um and then the last thing we want is that we want to drive the definition with principles and norms, but then also that should influence the way implementations work so that you have different ways of articulating the things. These are things we don't want to do.

K

Another reason why we hesitated to get this draft into mls. um We don't want to define it by what it isn't like saying, for example, like um an an encrypted app that traces all of its messages is not end to end encrypted. We we wanted to avoid all the things that we feel like are sort of um deviations from um solid e2e.

K

The second thing we wanted to avoid is um by directly invoking threat models. um We did that on purpose, um although I think we, in speaking with others like stephen farrell and so on, like it's going to be useful to use threat, modeling to potentially figure out holes and gaps in the way that we define it, but we don't want to rely again. It's like we don't want it to be an anti-definition and then the last thing is.

K

um We wanted to be careful about the debate and engineering discussions that happen in the open and the ietf around this draft, because going back to one of the main goals.

K

If there's a whole lot of dissent or disagreement about fundamental requirements, then that could actually be harmful to a crisp and clear definition of what is e2e and what is not right. So the draft itself. um It's really breaking into three pieces uh because we felt like one approach to defining. It wasn't quite good enough, so the three different approaches to defining it are meant to complement one another. So the first is just like a straight up. Formal definition like can we just define the building blocks the relevant pieces of it?

K

The second is definition by features so trying to functionally define it and then the last one we felt was important to include around you know when a user is told that a system is end and encrypted, what do they expect um so, hopefully, those three perspectives, kind of give one. You know a full picture of what e2e is without being too long-winded um so very quickly.

K

The only major change from the initial draft to the o1 is that we added a subsection around endpoint because there seemed to be we had in the end-to-end principle section, but there seem there is, and it's actually really critical to figure out where's the end in a device. Is it the application? Is it the operating system? Is it the person operating it? You know. How do we do that? So we um created a section for that.

K

What we're going to do next, um so thanks very much to raphael, for an initial review and to others who've, also given reviews but like on the back end, not on the mls list, we're going to incorporate what comes through either on the list or in github in the next version, probably within the next couple of weeks.

K

Actually, one of the things that is seeming, like a lot of feedback, involves us getting just a little bit more thorough in the sort of short definitions that we have of features right so like perfect forward secrecy and um uh anonymity and all those things that are not directly related, but certainly are part of an engine encrypted system.

K

Folks, just think we need to be more clear, um but I would like to be as precise and short as possible, I'm going for like really sort of quotable, bytes and also readability right, because we imagine that this draft, because it's a definition, would be an accessible document outside of the engineering community as much as it is useful to this working group and then the last thing is, um we were hoping that, like I said before, in one of the goals like where there's no timeline on getting this um finalized like it would be something that could sort of accompany uh the mls working group as it does its other work such that we can strategically place things in it.

K

Take things out, put them elsewhere, like sort of use it as um sort of a scratch pad for a while for things. um So to that end wondering if- and we can discuss after my next slide, if there'd be appetite for a working group, adoption now or a future point something that you want to want to think about and then yeah that's. This is just the link directly to it and github. If you want to um check it out, um do reviews pull requests um and it's obviously in the data tracker as well.

K

On the first slide, I had that link so anyway I'll they're yeah. It sounds like there are questions. Let me know, I'm sorry, I didn't put slide numbers. I always forget.

A

Karthik you're at first.

E

uh Hi, that's it's a very interesting idea to do a definition like this. I'm wondering, if uh I mean, is it a black and white thing or are there levels of e3 right? So, um for example, if a server were to like an mls scenario, were to manage the groups, as it knows, the membership of the groups and uh and so on. This is what is one of the possible deployment scenarios for another site? It's actually so it does know a lot of metadata.

E

What was in the group would that still be considered e to ee. According to your draft, we shouldn't get into a situation where mls fails the definitions. I.

K

Totally agree, that's exactly why I think we want to write this down so that it's there is clarity around that precise question. So I don't I'm not going to say I know the answer, but I think from the from the document it sort of takes a principled approach and then a feature approach, and I think where you're talking about is maybe the feature approach and obviously you know we're defining anonymity within there, not because we think that every system is going to have perfect anonymity for people, that's just probably too hard and too absurd.

K

But the point of that like these are the hard problems that end-to-end encryption systems are trying to solve for the sake of security and privacy and then the sort of way implementers trade off those things, because some of them are actually paradoxical.

K

The way that implementers like try to address these hard problems and trade off various features to achieve a system um that happens elsewhere. That happens in other drafts, but here you've got sort of it's almost like a menu of of different options, and I think it's going to help a lot in answering exactly that. Question like are we comfortable, calling, um you know a system that maybe has more metadata than others like still and what's the line right.

C

Jwell, hey, um I was just wondering: do you envision, pgp and and systems like that to be included, or um do you like, under this definition essentially or do we need, because you did mention forward secrecy? uh Do? Would you like the definition to draw the line at sort of updating security like pcs, fs or could it also include pgp.

K

Yeah, so that's that's why I think we hesitated to put this in mls in the first place, because we realized there are other places where this is being discussed and lamps and and open pgp is now a working group.

K

So I think at some point we have to make a decision, although one of our, I think, a a a major part of this plan is to get to like notify the sag.

K

You know group as well like to ask for reviews, um because I'm not well one is to ask for reviews, but then two to ask this larger question of like where does this belong, because, ideally it's it's highly applicable to everything, that's using end-to-end encryption, but at the same time yeah. I I don't really know like I.

K

I felt more confident that mls is doing more than initially you know had had um set out to do by going beyond just you know, messaging systems, but maybe um it gets us a little bit closer to having an answer, but um there are other ways of doing this. I mean yeah. Somebody suggested like putting it in model t. I thought that was a interesting idea, but maybe not a great one, um because I think um yeah model it would be like the anti-definition problem right anyway.

K

I don't have an answer. Joel sorry,.

C

That's okay, so let me just uh I just before I pass on the token or whatever we're calling it I just wanted to. Why did I ask that question because to me, um pgp is end to end, but it's from an older generation of end-to-end cryptography and since then, we've moved on. You know double ratchet mls all these things, but the distinction to me is really a matter of the security they go for rather than the notion of what is an endpoint and what is encrypting to the endpoints.

C

And so I don't see a natural way to distinguish between these generations of these technology without getting into security definitions, which I feel is almost a quagmire. It's it's. It's going to be very hard to clearly define this in a way that we can talk with non-technical people about these notions and get the sound bites. So that's why I was sort of asking what the scope is, because I think it's easier to just do end-to-end.

C

That includes pgp and everything maybe less useful though, but it seems to me like a more tractable problem to define that. Okay, I.

K

C

K

No, I think it's, I think it's an interesting one. I don't really see like from a user perspective, I'm not sure we have to get too precious about the difference between the generations. I mean. Surely um so yeah I'd just like to to tease that out a bit like what would be the goal of trying to make a distinction when potentially they're just seen as yeah, like you said generations, and that maybe it's a good thing that a definition could encompass both considering there may be.

K

You know another generation in the future. That would we would want this definition, definition to actually either guide us towards or at minimum encompass, um so that it's somewhat immutable as much as technology can be.

J

K

Thanks for bringing it up.

C

I think I'm done. I don't wanna. I don't wanna not always time here.

J

Conrad you're next.

G

um Yeah, I also think this is a really interesting project and I have to admit I haven't read the draft yet, um although I certainly plan to now uh so I was just wondering because uh and part of end-to-end encryption kind of, at least in my mind, has to be and to end authentication as well so and since mls doesn't really specify authentication.

G

um How do you think mls would even like has a chance to to qualify without making any assumptions um with regard to authentication.

K

Yup, I think, that's a fair question. um I think that that's obviously something that would need to be in this definition- and I think, is but um wouldn't necessarily be part of what mls does. I don't think that that means you're completely, avoiding invoking it right. So I imagine in the architecture, draft there's going to you're going to be signposting to implementers like how the protocol fits in with a larger system, so you may be using.

K

um You know, keywords that we would want to define in this draft um and actually it's a really good use of this draft so that you don't have to spend a whole lot of time talking about technology. That's not part of the mls protocol. You can put it in the definition draft and then you just sort of uh point to it.

K

G

That's actually a very good point. That's that's interesting. Thank you.

A

So um I think that we have to figure out what we would do with this going forward. I think in the short term, I think that this probably needs to go to set dispatch. I know I'm like giving you another working group to go to, because I do see that it's more broadly applicable um and that's the group that that kind of says which working group to go to and whether an ad should sponsor it. So it kind of shows you the paths for where you could go.

A

um I want to uh draw your attention to rfc 4949, which is loved and hated, but it's 365 pages of definitions of security terms, including end-to-end encryption and points and systems a whole bunch of stuff. um It's it's pretty um it's encyclopedic, and but it's much it's much like a uh it's more like a dictionary and so there's less prose.

A

Whether that's helpful hurtful, I don't know, um but it's something I think we should you you might want to at least look at that, um because I believe that document went through and was ad sponsored so as opposed to going through a working group right that.

K

Was yeah? That's definitely come up as an option um I feel like. We must cite 49.49, if not that's a big oversight, um but I know people have. I know I've read it well like. I said people love it and hate it. So you know big cherry.

A

Picked the parts.

K

And I think that you know this wouldn't at all, replace what's in 4949, with respect to indian encryption, it's just. This is a way more verbose approach to it that I think, provides space for nuance and for different. You know, like I said. The ways in which we define things formally can be very useful, but they are limited um and so yeah. I I think, you're right that sec dispatch needs to probably handle this so.

A

Because I could see how we could weigh in, but then I could see the open, pgp and lamps people being like hey what about us too, and then you have to put the subtle nuance on it. So I think it seems to me it seems to make more sense going to some place where you're going to get broader input and review. Basically.

K

True, true- and you know, dkg and stephen um know about this draft for sure they've seen early copies of it um and I think dkg is involved in lamps, so that would covered that. But anyway, in any case it'd be I mean if nothing else, I'd like the opportunity to tell more people in the security area about this work, um and so that is a that's a good use of that space. So we'll we'll do that.

K

Thank you for the suggestion, um and you know thanks for those who've already taken a look and reviewed it thanks in advance to those who will do so going forward um we're looking forward to getting another version out, like I said in a few weeks, so thanks a lot all.

A

Right great, uh so now I think we're going to try to jump into the protocol uh outstanding issues I was hoping richard will be back, but he's not yet back so raphael, I'm hoping we can lead this.

D

I'm not sure, absolutely, let's see what we should start with. Maybe we can start with the prs because they're a little more concrete than the.

D

A

Tell me which one you like to look at first.

D

So yeah, let's start with the bottom one, the uh 439.

D

There was quite a bit of discussion around that. um So there seems to be some preliminary consensus that doing.

D

That is a good idea, so just to recall what the proposal is here, the idea is that every leaf in the mls tree should have its own identity simply because that makes it a lot easier to tell them apart and you don't have to use the indexes all the time to reference them, which also turns out to be a bit of a problem on the implementation level, because you try and abstract away the indexes from the actual application using mls.

D

But then, if it's not unique, you can't really reference actual members of the group, uniquely, if you don't have that so um the practical issue richard had with it was um the case where the identifier would indeed be shared among different leaves that all belong to the same user.

D

But I think that problem got resolved, so I don't think that there is anyone so far that I've heard of that would be against making this change.

D

If not, please pick up.

D

Now no opinions on it. Okay um in terms of merging it.

A

Probably so, I think.

H

What I'm going to do is I'm going to put.

A

A note in here, let's say that we discussed it and there was no objection that it should be merged or fixed, because I think there's probably some commit problems here. It seems like there's.

D

Yeah this one could be merged, but in general we'll run to that in the next one. So yeah, I think that's a good approach. Thank you.

A

Comment not close all right.

D

A

D

uh Take the next one, then 453.

D

So I don't think we have eric in the call today, um I'm not kind of if you can say something about the security implications of that from the discussion. It looks like there's consensus that we want to do it. I'm also not aware of any downsides, but a bit more motivation would actually be helpful.

G

To be honest, I haven't looked at this pr in quite a while, as I remember, it's really just moving the place where the context is injected into the key schedule to an earlier secret um so which.

D

It's I think, it's additional, it's not moving it. It's doing it one more time. Yes,.

G

G

G

Yeah I'd rather push this down the road a bit. I need to take a look at it to really be able to say something, but I'm pretty sure it's certainly not a like. It certainly doesn't decrease security, or at least it shouldn't- and um I remember that this made the security proof easier.

G

But again I can't remember the details. Yeah I'll I'll, prepare something for next time.

D

Okay, maybe we can note that we don't see any downsides so.

D

D

Now we're looking at 355.

A

Hi conrad, I stuck you with an action item, continue to review the last one: okay, yeah, that's all right! Thanks, yeah, okay, see if I can actually do this properly.

D

There we go. I have to admit that I haven't looked at this in a really long and I've just been on it.

A

So this is the more editorial changes. One.

A

454 yeah, okay,.

D

Yeah 454 um actually- and there was one uh part that is not editorial, which was an oversight and it's a missed um which adds.

L

Data authenticated data yeah, I sort of snuck that in because it was a tiny change and I'd. um I talked to richard about that and he said uh that yeah that should have been added so rather than creating two pr's I sort of snuck that in, but if I, if it should be two different pr's, then I can split it out.

D

Well, I mean this one, we could merge right away and the rest is probably um something we would have to look at again. So if you want to do a separate pr for just that, I think that would be straightforward and then you could remove it from this pr and we only look at the editorial stuff.

L

Yeah, I can do that.

L

L

L

So the the rest of the editorial changes are um a big chunk of. It is because I noticed there was a discrepancy between two different sections, and so I tried to make them both agree with what's implemented in the mlspp library, and I think I managed to do that if I've read the ms mlspp library correctly, but yeah, I think someone should make sure that I actually did that correctly.

D

Yeah, so what I propose here is that um we can take that with uh richard and look at it. It's not something where we need consensus from the working group. Nonsense. Just a matter of resolving the details.

L

Yeah sounds good.

A

All right on to the next one.

D

All right, uh 4 55- um I propose that apparently yes, so it's just one line change. Essentially um I've heard it is ambiguous. If you have something that is a list or an array that is also optional, because then it could be there but contain zero elements.

D

So that's I propose to disambiguate it by just removing the the optional part of it and then it can just be an empty list. Essentially uh from the conversation, benjamin, I think you.

H

Some concerns, no, it's okay. I mean we discussed it pretty softly. I mean as long as there is some input, uh that's fine, so we could. It could be like or zero input in the case where you you don't like, you have an empty list or something and it doesn't impact security. So your proposal works. Fine, okay,.

D

Okay, I'm gonna go ahead and merge that if there is no other objections,.

G

B

Wait, which number was that for my notes,.

A

455 45, so richard I've put comments in the previous three that we discussed. Okay, thank.

D

D

um Then we have 462, which I think is editorial.

D

Yes, yeah, that's only a tutorial um uh richard if you have reviewed that, otherwise I would propose. We um quickly review the uh wording afterwards and just merging yeah.

B

We can handle this offline just with the editors.

D

um Okay, then we have a controversial one: 463 remove the egg proposal from brendon who's, not in the call today.

D

Does anyone in the call today want to motivate that pr.

D

B

Argument brendan makes is that this is not core to the protocol um could be included, upper layers, etc, and so we don't need to have it here.

D

But we already have that discussion at length from previous interims.

D

And uh I think benjamin had some good arguments for having it at the protocol level.

D

Simply also because double ratio has that mechanism, essentially.

D

So what are we going to do with fpr.

D

It seems we have no consensus that we want to merge it so uh sean. What's the uh close-up action here.

A

Well, I think, typically, we leave.

B

It okay, I'm just skimming back through the.

B

Through the mailing list thread.

B

B

It looks like yeah, I'm not seeing anyone keen on this besides brendon, so I think um the chairs one seems like there's ample evidence for the chairs through the clarion and the rough and just close, this issue.

A

All right: well, let me go back and review that and uh that that's the way we end up, we'll we'll go ahead and do that. Otherwise we'll try to bring it up and okay so curious. Had the actions yes yep.

D

All right, um so I see 464 now um that is also linked to an open issue. We have so I'm inclined to skip that one for now. That's something! That's disgusting, 464.

D

B

Yeah, I think this is just a clarification.

B

H

B

Just to clarify the the situation and not to change processing.

G

It it is, um but I had a longer discussion with raphael that came up also while implementing and we created a new issue regarding extension. So it probably makes sense to just leave this for now and first discuss the greater issue about extensions and then figure out. If, if if this is not like, if we don't need a bigger rewrite,.

B

B

You have to use.

G

Extensions 473, oh yeah, sorry we should have. We should have actually linked that on github.

A

Cool I'll leave that to you, then.

F

A

F

A

Great, um we do 465.

D

Yeah that looks editorial again. I think okay.

H

D

Yeah, I think this is uh yeah so again, pretty uncontroversial um I'd be inclined to go ahead and merge it. If there is no position.

B

I'm kind of merging this.

A

All right go ahead and merging it.

A

Making some progress here.

H

Instant gratification.

A

It's a wonderful thing, all right, minor fixes to message formats.

D

466., um that was from your return, yeah.

B

L

Oh, this looks like it includes the one line change from my from my commit or from ipr. So I guess I don't have to.

D

Split that out.

L

If we're, if we're merging this one.

D

uh That's that's.

L

A

Right there yeah.

K

D

So uh richard remind me, this is what we already do in interrupt pride, so uh yeah. I think this is motivated by the findings of the interrupt. I think that's right, yeah.

B

So I think these have already been integrated in the interrupt branches of the sensations and really um yeah so yeah. I think this is just addressing some um kind of alignment stuff between what's authenticated. If you look at the authenticated data and confirmation tag lines and then adding a missing definition of parent hash and allowing for big extensions, nothing, nothing! We're majoring in this.

D

Okay, I think all of the people taking part in the implementation effort agree on that one and since there is not much more to it, I'm gonna go ahead and merge. It.

D

B

D

B

Okay, it sounds good to me.

D

D

um Okay, 467 we discussed earlier. I need to do that now then fix typos sounds editorial again. 469.

D

Okay, maybe we can do that offline.

D

Copy and paste that one drone.

D

And then the last one 471.

D

Finding out that we should go to drafts, wait uh richard use the accordion. That's that correct.

B

I think so let me just check, um obviously we'll ultimately want to change this to the rfc version. Once you go to final.

A

D

All right I mean, maybe we can just note that richard's gonna check up on that. It's not nothing. I think we can merge.

B

This oh wait: 08 is the current version.

A

Yeah I mean I I pretty much think that's mostly editorial.

D

D

Okay. That concludes the pr part um this session, at least so now we should go to the issues. I guess.

A

Yeah all right, so we got 12 minutes left and I have a hard stop at noon, which one do you want to take? First.

D

I want to take 473 first because it's a bit of a bigger one.

D

So connor and I came across some issues when we looked at how extensions currently work and so well, it's all described in the in the details there, but the gist of it is that um it's not entirely clear uh what a group context extension actually is, so we have extensions that go into the key packages. Those are somewhat well understood in the sense that we have examples of them, they're even mandatory.

D

I guess there's there was mention about that on the mailing list the other day, but those are not the concern. The concern is the other ones, so it the specs sort of seems to imply that there are extensions that go into the group context and the group context has a field for that.

D

But there is no example of such an extension and on how it would behave. Instead, there is some sort of a counter example, which is a registry extension which is similar, but it does not go into the group context specifically because we don't need it there. It would also be slow, so it's uncontroversial that it doesn't go there, but the question is what actually goes there and how do these extensions manifest? So um on one hand, I think the language should be a little more precise. On the other hand, we need a proposal here.

D

To actually introduce a mechanism to update extensions by having a new proposal type and that way members can initially share extensions through a welcome message, which already has a feud for that. Just like the ratchet tree extension and then later on, they can also update them, and the update mechanism is synchronized with epoch changes so that every member knows exactly what to put into the group context, which right now is, is not clear what members should put in there at all.

D

So this gives us clarity and functionality that will actually be useful.

D

Any any initial comments on on that idea.

C

I have some questions, um so I see there's this message, type group context right and then in the extension, struct you've got the message type listed so that do I understand correctly, an extension could be either a key package extension or a group context extension. Is that right.

D

So this is what the spec currently uh alludes to and uh introducing this. This anim here simply makes it clear that you know this is what we actually want to achieve if it's not what we're going to achieve with the changes back so yeah. The proposal here is to clarify that they are indeed um really different kinds of extensions.

D

They have a similar format in the sense that they just have a type and a payload that they're used in different contexts that are completely orthogonal to each other.

B

So I I I think I agree that there's a need.

H

B

Clarification here, um it seems like basically where you're headed with this is to kind of declare two different logical classes and extensions on the key extensions that go in key packages and the extensions that go into the group context and the extensions in the group context would be set by the creator and then updated if at all, by this proposal. You're talking about is that.

B

Does that sound like um an.

D

Accurate understanding of where you're going here yeah- that's um that's pretty much it exactly so. The the key package extensions is the one category and essentially it's completely standalone in that sense, because they only live in key packages and in the second category um there is a slight nuance between the ones that do go into the group context and the ones that don't because we have this registry extension so either.

D

We say this is a complete exception and we treat it as such and maybe that's fine or we generalize this and say as part of a welcome message you you can send a bunch of different extensions, but you must specify which ones of them you want to have in the group context. So having them in a group context means the group actually agrees on the content of the extension. So it sounds like a very powerful mechanism to have.

D

For example, you can synchronize on metadata, um but there might be other examples where or other situations where you don't want that for whatever reason and then you're free to choose which one you want yeah. So I think there's.

B

Actually nicely.

D

Covers what we have then.

B

Yeah um so yeah, I think, they're kind of where this ends up is actually a three type. We have basically have three types of extensions. We have the ones that are in the context and then we have extensions that are local to a key package and local to a welcome.

B

I think the the ambiguity you're pointing out is that in the welcome message, the local to a welcome extension and extensions and the group context- extensions- are mixed together in one bucket.

B

um So I wonder if the way to resolve that is just to have two buckets in the welcome and explicitly say here are the extensions that go in the group context, and here are the other uh extensions um which are you know. Things like things like the the ratchet tree extension would go in that you know local to the welcome extensions bucket.

D

But that's almost what's being proposed here. The only additional thing that's being proposed is that you don't mix the group info ones and the key package ones. That's why we end up with three variants in the end. What do you mean by mix?

D

Well, I mean, um since they share the same extension struct. um You know practically speaking, you cannot really tell them apart.

B

So, do you mean you would use like separate name spaces or different structs.

D

Well, we don't have to if we introduce this message. Type enum, that's that's the lady here. So we, the current extension struct, which is just below that.

D

Is being being extended by this message type so previously it only had the extension id and then the extension data, and now it introduces the type and the naming is maybe a bit unfortunate. But that's what is in this back currently so.

G

J

G

So yeah just to be clear, so this essentially allows implementations not to rely on an outside caller or the spec to say what should go into the group context as opposed to what doesn't in a welcome message, but rather kind of it can rely on the message type. But then again I mean richard if we go with the two buckets that you proposed, and that would be explicit as well, so that would at least partially kind of uh make that.

B

Yeah, I think my inclination here would be to do the two bucket approach in the group info and then in the iana registry for extensions declare which of these three buckets key package group contacts group info, an extension can appear in.

D

Yeah, I think that can work. um Then the open question is the extension update that we propose here um that one would be specific to this one bucket, essentially.

B

Yeah that would only touch the group context, extensions um and I think what you're missing there is a list of extension ids to delete.

D

uh Well, no, I'm not sure we agree on that. Then.

B

D

So well, what is the symmetry so yeah? um In my mind, this extension update can contain updates to extensions that were initially shared in the welcome message, um but they don't have to go into the group context. Necessarily uh you could decide to. You know just use that as a as an enter an encrypted type.

D

Essentially, but you you don't seek agreement on the content necessarily, I don't have an example where you know you would absolutely want this, but um I just wanted to keep this sort of flexibility that you don't have to hash it into the group state necessarily.

B

So that seems more like the province of proposals and extending along that axis right.

G

D

I agree that there is some overlap, yes, but we also have never specified that so I mean. Maybe we should look at that in a broader context,.

A

Yeah I gotta run in about a minute. um I don't know richard if you can richard or nick, if you guys want to job as well, um but I think we need to pick this back up. uh We're obviously going to make a request for a meeting session for the itf online. We may have to have another knitter in the middle before that to see. Maybe we can move stuff along. I don't know how people feel about that, but it's something we should discuss on the list.

A

um I hate to hate to cut the discussion short though.

B

Sure, no I mean yeah yeah, I think um yeah raphael and conrad, and I can probably find some time to kind of do a little design team on this extension question and progress. Something back to the list.

A

Okay, that'd be great all right thanks everyone and richard. I appreciate you taking notes sure I'll, send you out in a second great excellent. Thank you very much. Bye-Bye.

J

Bye, bye to kim.

L