-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
more editorial changes #454
Conversation
draft-ietf-mls-protocol.md
Outdated
in the initial GroupContext object. The `leaf_key_package` for this | ||
UpdatePath must have a `parent_hash` extension. | ||
* If populating the `path` field: Create an UpdatePath using the new tree and | ||
the provisional GroupContext. Any new member (from an add proposal) MUST be |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You say use the provisional GroupContext, but the original text says to use the original GroupContext
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "A member of the group applies a Commit message by taking the following steps:" section says
- If the
path
value is populated: Process thepath
value using the new ratchet tree and the provisional GroupContext, to update the ratchet tree and generate thecommit_secret
:
So this change is to make the two sections consistent
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree it looks a bit inconsistent here indeed. I think this part is however the correct one and what you quote is confusing and should be changed instead.
The reason for my thinking is that the provisional group context is not known at this point in time and therefore the existing one should be used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I'm reading the mlspp sources right, it looks like it uses the provisional GroupContext for this: https://github.com/cisco/mlspp/blob/main/src/state.cpp#L347-L359
The reason for my thinking is that the provisional group context is not known at this point in time and therefore the existing one should be used.
The provisional group context is created two steps before this step.
I personally don't care which one is used, but they should be consistent. For now, I'm going to follow what mlspp does, but if the consensus is that the original text here is correct, then I'm happy to change it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think "provisional" is the right answer here. The idea of the GroupContext used with TreeKEM is to capture the tree to which the secrets are encapsulated. That tree is the one in the provisional GroupContext, to which the proposals have been applied.
draft-ietf-mls-protocol.md
Outdated
* Construct an MLSPlaintext object containing the Commit object. Sign the | ||
MLSPlaintext using the current epoch's GroupContext as context. Use the | ||
`confirmation_key` for the new epoch to compute the `confirmation_tag` value | ||
in the MLSPlaintext. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, mixing epochs seems bad
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is how it works in the "A member of the group applies a Commit message by taking the following steps:" section. It verifies the signature before doing any modifications, and uses the confirmation_key
from the new epoch.
draft-ietf-mls-protocol.md
Outdated
in the initial GroupContext object. The `leaf_key_package` for this | ||
UpdatePath must have a `parent_hash` extension. | ||
* If populating the `path` field: Create an UpdatePath using the new tree and | ||
the provisional GroupContext. Any new member (from an add proposal) MUST be |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree it looks a bit inconsistent here indeed. I think this part is however the correct one and what you quote is confusing and should be changed instead.
The reason for my thinking is that the provisional group context is not known at this point in time and therefore the existing one should be used.
draft-ietf-mls-protocol.md
Outdated
the `confirmation_tag` value in the MLSPlaintext. | ||
* Use the `commit_secret`, the `psk_secret`, the provisional GroupContext, and | ||
the init secret from the previous epoch to compute the epoch secret and | ||
derived secrets for the new epoch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This paragraph explains how the key schedule should be computed, but it omits quite a few steps (joiner secret, welcome secret, etc.) and the values are in the wrong chronologic order.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was basically a copy-and-paste from the other section. I can update both sections to be more accurate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I've addressed this comment
draft-ietf-mls-protocol.md
Outdated
* If the `path` value is populated: Process the `path` value using the ratchet | ||
tree the provisional GroupContext, to update the ratchet tree and generate the | ||
* If the `path` value is populated: Process the `path` value using the new ratchet | ||
tree and the provisional GroupContext, to update the ratchet tree and generate the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comment from above. I think this part is indeed wrong and the broken syntax might be a hint that it's the result of a copy & pasta job gone wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be "provisional" in both cases -- the tree after applying proposals but before applying the UpdatePath.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uhm, yes. Obviously it can't be the "new" ratchet tree, since this is the step that creates the "new" ratchet tree. Not sure why I put "new" there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, it's because we've only defined "old", "provisional", and "new" for GroupContext, and not for the ratchet tree. I'll adjust the wording to fix that up.
draft-ietf-mls-protocol.md
Outdated
* Use the `init_secret` from the previous epoch, the `commit_secret` and the | ||
`psk_secret` as defined in the previous steps, and the new GroupContext to | ||
compute the new `joiner_secret`, `welcome_secret`, `epoch_secret`, and | ||
derived secrets for the new epoch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternatively, I can say "Use the ... and the new GroupContext to advance the key schedule." if we want to be less verbose.
|
||
* Update the tree in the provisional state by applying the direct path |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like DirectPath was renamed to UpdatePath, and the UpdatePath is already applied in a previous step (as part of the step where it's actually created), so this looks to me like an obsolete leftover.
draft-ietf-mls-protocol.md
Outdated
MLSPlaintext using the old GroupContext as context. Use the | ||
`confirmation_key` for the new epoch to compute the `confirmation_tag` value, | ||
and the `membership_key` for the old epoch to compute the `membership_tag` | ||
value in the MLSPlaintext. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not entirely sure why it takes the confirmation_key
from the new epoch, but the membership_key
from the old epoch, but that's what the current mlspp code does.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, actually, I do know, I think. The confirmation_tag
allows the other group members to check that they derived the same tree/secrets as the sender. The membership_tag
allows other group members to ensure that it was sent by a group member before processing the message. I think this is mentioned in other parts of the document, but I can reiterate here if necessary.
I've tried to align with the current mlspp code for how to process commits. If the current mlspp code is incorrect, or if I'm reading it incorrectly, I'm more than happy to fix my changes to reflect the correct behaviour. |
@bifurcation @raphaelrobert took action item to review editorial changes. |
draft-ietf-mls-protocol.md
Outdated
in the initial GroupContext object. The `leaf_key_package` for this | ||
UpdatePath must have a `parent_hash` extension. | ||
* If populating the `path` field: Create an UpdatePath using the new tree and | ||
the provisional GroupContext. Any new member (from an add proposal) MUST be |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think "provisional" is the right answer here. The idea of the GroupContext used with TreeKEM is to capture the tree to which the secrets are encapsulated. That tree is the one in the provisional GroupContext, to which the proposals have been applied.
draft-ietf-mls-protocol.md
Outdated
* If the `path` value is populated: Process the `path` value using the ratchet | ||
tree the provisional GroupContext, to update the ratchet tree and generate the | ||
* If the `path` value is populated: Process the `path` value using the new ratchet | ||
tree and the provisional GroupContext, to update the ratchet tree and generate the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be "provisional" in both cases -- the tree after applying proposals but before applying the UpdatePath.
Co-authored-by: Richard Barnes <rlb@ipv.sx>
and construct the new GroupContext in the right place
I think I've addressed all the comments. I also realized that the calculation of the new GroupContext was in the wrong spot (it has to be done after the MLSPlaintext is created (sans confirmation_tag), and then the confirmed transcript hash is created, then the new GroupContext, then the secrets, then the confirmation tag -- that's what mlspp does AFAICT), so I've fixed that up as well. |
@raphaelrobert I think if you're OK with this, we're clear to merge. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more comment about the 3 ratcheting trees
GroupContext uses the epoch number for the new epoch, and the old confirmed | ||
transcript hash. This is used when creating the UpdatePath, if the | ||
UpdatePath is needed. | ||
3. "New" refers to the ratchet tree and GroupContext constructed after applying |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still struggling with the fact that there are 3 ratcheting trees. In my mind there are only 2:
- The ratcheting tree before applying proposals and the (potential) UpdatePath
- The ratcheting tree after applying proposals and the (potential) UpdatePath
The ratcheting trees described here as "provisional" and "new" are in fact identical. It's just that they exist at different times. I think it would be good to make that clear, i.e. a "provisional" ratcheting tree becomes a "new" ratcheting tree when a Commit is applied.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "provisional" ratchet tree is the tree after applying the proposals, but before applying the UpdatePath. We could probably do without a "provisional" ratchet tree, but I think it helps with clarity to give it a name since applying the proposals and applying the UpdatePath are different steps.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed at 20211004 MLS interim.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fine, that makes sense to me!
As discussed at interim. @raphaelrobert review. If good, then merge. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ready to be merged from my side.
authenticated_data
field toMLSPlaintextCommitContent
Commit
sender andCommit
receiver seem to have gotten out of sync. I tried to sync them up (but let me know if I messed something up)