-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Separation between pre-published key packages and leaf node content #539
Comments
If we're doing this, I'd suggest including a dedicated public key to encrypt Welcome messages to for the This might also help clarify #538. |
Ties into #537 as well because |
@TWal one concern I have is how is that |
When sending a full
|
What about the scenario where Alice pulls down Bob's key package to add him to the group? In that case Alice can't do the conversion between formats on Bob's behalf. |
Alice don't have to do the conversion, this is why |
Ah somehow I missed that part in your original post. Makes sense |
I like this general direction. It solves a few things. Instead of having leaf nodes contain either a prepublished thing or a normal leaf node, how about having the prepublished thing wrap the leaf node thing? As a bonus, we get separation between the key pair used for Welcome encryption and the key pair that goes in the leaf for TreeKEM.
Then when Alice adds Bob, she extracts his LeafNodeContent and sends that in the Add. That doesn't let the other members of the group verify that Alice did the right thing w.r.t. expiry, but I'm not heartbroken about that. We might also be able to remove the extensions field from the outer (KeyPackage) wrapping if we turn the |
Why not keep sending the KeyPackage in the Add? That wouldn't cost much and would allow everyone to validate the lifetime. Note, that the lifetime is crucial in achieving PCS for pre-published key material. If I compromise Bob and get hold of the private key material of a bunch of his KeyPackages, I can add "Bob" to any group I want as long as the Credential inside the LeafNodeContent remains valid and Bob doesn't revoke the LeafNodeContent somehow. Also, we'll have to do this if we want to enable any member to send the Welcome message as you proposed here: #525 (comment). |
I agree that including In the first message of this issue I did this by including In any case, if we want to include |
It always feels a bit lazy to use an extension (and implementations have to be careful to check for their presence), but we could use a Another result of including GroupId in the KeyPackage is that the signature will explicitly sign the |
I don't think there's really a good way to get the
I could live with a solution of that character, but given it's a bit complex, might prefer to leave it out unless we get a useful property from it. @kkohbrok - Re: Sending KeyPackage in Add - Yep, that makes sense. So you would send KeyPackage in Add, and LeafNode in Update. |
I tried to worked through what would be necessary to implement this. It looks like it would require some fairly invasive changes to be made to rationalize the document's structure before making this change. But those changes should probably be made anyway. Proposal: Preparatory PR: Rationalize layout
Main PR:
We should probably do the preparatory PR regardless of this issue. |
Discussion on working call:
|
KeyPackage
s currently have two usages in the spec:Commit
Currently, things have been designed to use only one structure for both uses, leading to some weirdness such as:
version
andcipher_suite
are useful in the usage 1, but are parameters of the group in usage 2.hpke_init_key
is a good name in usage 1, but would better be namedhpke_key
in usage 2.ParentHash
, and we were also discussing about adding thegroup_id
in Stronger parent hashes for authenticated identities #527 to help prevent cross-group attacks)How about using different structures for these?
What would you think about refactoring
KeyPackage
like this?The text was updated successfully, but these errors were encountered: