more editorial changes #454
Conversation
draft-ietf-mls-protocol.md
Outdated
| in the initial GroupContext object. The `leaf_key_package` for this | ||
| UpdatePath must have a `parent_hash` extension. | ||
| * If populating the `path` field: Create an UpdatePath using the new tree and | ||
| the provisional GroupContext. Any new member (from an add proposal) MUST be |
There was a problem hiding this comment.
You say use the provisional GroupContext, but the original text says to use the original GroupContext
There was a problem hiding this comment.
The "A member of the group applies a Commit message by taking the following steps:" section says
- If the
pathvalue is populated: Process thepathvalue using the new ratchet tree and the provisional GroupContext, to update the ratchet tree and generate thecommit_secret:
So this change is to make the two sections consistent
There was a problem hiding this comment.
I agree it looks a bit inconsistent here indeed. I think this part is however the correct one and what you quote is confusing and should be changed instead.
The reason for my thinking is that the provisional group context is not known at this point in time and therefore the existing one should be used.
There was a problem hiding this comment.
If I'm reading the mlspp sources right, it looks like it uses the provisional GroupContext for this: https://github.com/cisco/mlspp/blob/main/src/state.cpp#L347-L359
The reason for my thinking is that the provisional group context is not known at this point in time and therefore the existing one should be used.
The provisional group context is created two steps before this step.
I personally don't care which one is used, but they should be consistent. For now, I'm going to follow what mlspp does, but if the consensus is that the original text here is correct, then I'm happy to change it.
There was a problem hiding this comment.
I think "provisional" is the right answer here. The idea of the GroupContext used with TreeKEM is to capture the tree to which the secrets are encapsulated. That tree is the one in the provisional GroupContext, to which the proposals have been applied.
draft-ietf-mls-protocol.md
Outdated
| * Construct an MLSPlaintext object containing the Commit object. Sign the | ||
| MLSPlaintext using the current epoch's GroupContext as context. Use the | ||
| `confirmation_key` for the new epoch to compute the `confirmation_tag` value | ||
| in the MLSPlaintext. |
There was a problem hiding this comment.
Again, mixing epochs seems bad
There was a problem hiding this comment.
This is how it works in the "A member of the group applies a Commit message by taking the following steps:" section. It verifies the signature before doing any modifications, and uses the confirmation_key from the new epoch.
draft-ietf-mls-protocol.md
Outdated
| in the initial GroupContext object. The `leaf_key_package` for this | ||
| UpdatePath must have a `parent_hash` extension. | ||
| * If populating the `path` field: Create an UpdatePath using the new tree and | ||
| the provisional GroupContext. Any new member (from an add proposal) MUST be |
There was a problem hiding this comment.
I agree it looks a bit inconsistent here indeed. I think this part is however the correct one and what you quote is confusing and should be changed instead.
The reason for my thinking is that the provisional group context is not known at this point in time and therefore the existing one should be used.
draft-ietf-mls-protocol.md
Outdated
| the `confirmation_tag` value in the MLSPlaintext. | ||
| * Use the `commit_secret`, the `psk_secret`, the provisional GroupContext, and | ||
| the init secret from the previous epoch to compute the epoch secret and | ||
| derived secrets for the new epoch. |
There was a problem hiding this comment.
This paragraph explains how the key schedule should be computed, but it omits quite a few steps (joiner secret, welcome secret, etc.) and the values are in the wrong chronologic order.
There was a problem hiding this comment.
This was basically a copy-and-paste from the other section. I can update both sections to be more accurate.
There was a problem hiding this comment.
I think I've addressed this comment
draft-ietf-mls-protocol.md
Outdated
| * If the `path` value is populated: Process the `path` value using the ratchet | ||
| tree the provisional GroupContext, to update the ratchet tree and generate the | ||
| * If the `path` value is populated: Process the `path` value using the new ratchet | ||
| tree and the provisional GroupContext, to update the ratchet tree and generate the |
There was a problem hiding this comment.
See comment from above. I think this part is indeed wrong and the broken syntax might be a hint that it's the result of a copy & pasta job gone wrong.
There was a problem hiding this comment.
This should be "provisional" in both cases -- the tree after applying proposals but before applying the UpdatePath.
There was a problem hiding this comment.
Uhm, yes. Obviously it can't be the "new" ratchet tree, since this is the step that creates the "new" ratchet tree. Not sure why I put "new" there.
There was a problem hiding this comment.
Oh, it's because we've only defined "old", "provisional", and "new" for GroupContext, and not for the ratchet tree. I'll adjust the wording to fix that up.
draft-ietf-mls-protocol.md
Outdated
| * Use the `init_secret` from the previous epoch, the `commit_secret` and the | ||
| `psk_secret` as defined in the previous steps, and the new GroupContext to | ||
| compute the new `joiner_secret`, `welcome_secret`, `epoch_secret`, and | ||
| derived secrets for the new epoch. |
There was a problem hiding this comment.
Alternatively, I can say "Use the ... and the new GroupContext to advance the key schedule." if we want to be less verbose.
|
|
||
| * Update the tree in the provisional state by applying the direct path |
There was a problem hiding this comment.
It looks like DirectPath was renamed to UpdatePath, and the UpdatePath is already applied in a previous step (as part of the step where it's actually created), so this looks to me like an obsolete leftover.
draft-ietf-mls-protocol.md
Outdated
| MLSPlaintext using the old GroupContext as context. Use the | ||
| `confirmation_key` for the new epoch to compute the `confirmation_tag` value, | ||
| and the `membership_key` for the old epoch to compute the `membership_tag` | ||
| value in the MLSPlaintext. |
There was a problem hiding this comment.
I'm not entirely sure why it takes the confirmation_key from the new epoch, but the membership_key from the old epoch, but that's what the current mlspp code does.
There was a problem hiding this comment.
Oh, actually, I do know, I think. The confirmation_tag allows the other group members to check that they derived the same tree/secrets as the sender. The membership_tag allows other group members to ensure that it was sent by a group member before processing the message. I think this is mentioned in other parts of the document, but I can reiterate here if necessary.
|
I've tried to align with the current mlspp code for how to process commits. If the current mlspp code is incorrect, or if I'm reading it incorrectly, I'm more than happy to fix my changes to reflect the correct behaviour. |
|
@bifurcation @raphaelrobert took action item to review editorial changes. |
draft-ietf-mls-protocol.md
Outdated
| in the initial GroupContext object. The `leaf_key_package` for this | ||
| UpdatePath must have a `parent_hash` extension. | ||
| * If populating the `path` field: Create an UpdatePath using the new tree and | ||
| the provisional GroupContext. Any new member (from an add proposal) MUST be |
There was a problem hiding this comment.
I think "provisional" is the right answer here. The idea of the GroupContext used with TreeKEM is to capture the tree to which the secrets are encapsulated. That tree is the one in the provisional GroupContext, to which the proposals have been applied.
draft-ietf-mls-protocol.md
Outdated
| * If the `path` value is populated: Process the `path` value using the ratchet | ||
| tree the provisional GroupContext, to update the ratchet tree and generate the | ||
| * If the `path` value is populated: Process the `path` value using the new ratchet | ||
| tree and the provisional GroupContext, to update the ratchet tree and generate the |
There was a problem hiding this comment.
This should be "provisional" in both cases -- the tree after applying proposals but before applying the UpdatePath.
Co-authored-by: Richard Barnes <rlb@ipv.sx>
and construct the new GroupContext in the right place
|
I think I've addressed all the comments. I also realized that the calculation of the new GroupContext was in the wrong spot (it has to be done after the MLSPlaintext is created (sans confirmation_tag), and then the confirmed transcript hash is created, then the new GroupContext, then the secrets, then the confirmation tag -- that's what mlspp does AFAICT), so I've fixed that up as well. |
|
@raphaelrobert I think if you're OK with this, we're clear to merge. |
| GroupContext uses the epoch number for the new epoch, and the old confirmed | ||
| transcript hash. This is used when creating the UpdatePath, if the | ||
| UpdatePath is needed. | ||
| 3. "New" refers to the ratchet tree and GroupContext constructed after applying |
There was a problem hiding this comment.
I'm still struggling with the fact that there are 3 ratcheting trees. In my mind there are only 2:
- The ratcheting tree before applying proposals and the (potential) UpdatePath
- The ratcheting tree after applying proposals and the (potential) UpdatePath
The ratcheting trees described here as "provisional" and "new" are in fact identical. It's just that they exist at different times. I think it would be good to make that clear, i.e. a "provisional" ratcheting tree becomes a "new" ratcheting tree when a Commit is applied.
There was a problem hiding this comment.
The "provisional" ratchet tree is the tree after applying the proposals, but before applying the UpdatePath. We could probably do without a "provisional" ratchet tree, but I think it helps with clarity to give it a name since applying the proposals and applying the UpdatePath are different steps.
There was a problem hiding this comment.
Discussed at 20211004 MLS interim.
There was a problem hiding this comment.
Fine, that makes sense to me!
|
As discussed at interim. @raphaelrobert review. If good, then merge. |
authenticated_datafield toMLSPlaintextCommitContentCommitsender andCommitreceiver seem to have gotten out of sync. I tried to sync them up (but let me know if I messed something up)