Authn v2 #59
Authn v2 #59
Conversation
There was a problem hiding this comment.
Globally I think this goes in the right direction but I have a few concerns:
- I am fine with removing
GroupAddfor now
- I would have preferred to keep the paragraph on TreeKEM
- Even though I understand factoring out everything into
GroupStatestructure can be helpful, we should avoid using it for everything (like in the Key Schedule and Handshake messages <> Add) when we only need to use specific information. I think it was better before.
draft-ietf-mls-protocol.md
Outdated
|
|
||
| * The `group_id` field is an application-defined identifier for the | ||
| group. | ||
| * The `size` field represents the total number of key-exchange slots |
There was a problem hiding this comment.
This doesn't mean anything... does it represent the maximum numbers of participants in the group ?
There was a problem hiding this comment.
Actually, this can be eliminated, since it can be derived from the length of the tree vector.
There was a problem hiding this comment.
This is still in the text...
draft-ietf-mls-protocol.md
Outdated
| in the group, whether or not these slots are currently occupied. | ||
| * The `epoch` field represents the current version of the group key. | ||
| * The `roster` field contains credentials for the occupied slots in | ||
| the tree, including the identity and public key for the holder of |
There was a problem hiding this comment.
What do you mean by "identity and public key for the holder of the slot". Do you mean the current signature and encryption public keys ?
(signature pubkey, which is currently the long term identity key in the rest of the text)
There was a problem hiding this comment.
"Public key" == "Signature public key". ("Identity" is whatever opaque string the application assigns) Note that because this state can change, we're not committed to using long-term identity keys.
There was a problem hiding this comment.
s/public key/signature public key/ still needs to be implemented, it is unclear otherwise
draft-ietf-mls-protocol.md
Outdated
| @@ -281,45 +281,9 @@ A B C Directory Channel | |||
|
|
|||
| Subsequent additions of group members proceed in the same way. Any | |||
| member of the group can download an InitKey for a new participant | |||
| and broadcast a GroupAdd which the current group can use to update | |||
| and broadcast an Add which the current group can use to update | |||
There was a problem hiding this comment.
Thanks @bifurcation ! I still think we should NOT use the entire group state everywhere in the key schedule but only what we need to get the cryptographic security properties we want, so I would prefer holding that change for a next iteration... Other than with fixes you marked as resolved, I think this is good to go 👍
draft-ietf-mls-protocol.md
Outdated
|
|
||
| * The `group_id` field is an application-defined identifier for the | ||
| group. | ||
| * The `size` field represents the total number of key-exchange slots |
There was a problem hiding this comment.
This is still in the text...
draft-ietf-mls-protocol.md
Outdated
| in the group, whether or not these slots are currently occupied. | ||
| * The `epoch` field represents the current version of the group key. | ||
| * The `roster` field contains credentials for the occupied slots in | ||
| the tree, including the identity and public key for the holder of |
There was a problem hiding this comment.
s/public key/signature public key/ still needs to be implemented, it is unclear otherwise
draft-ietf-mls-protocol.md
Outdated
| @@ -924,16 +882,11 @@ proceeds as shown in the following diagram: | |||
| Update Secret -> HKDF-Extract = Epoch Secret | |||
| | | |||
| | | |||
| +--> Derive-Secret(., "msg", ID, Epoch, Msg) | |||
| +--> Derive-Secret(., "msg", GroupState_n) | |||
There was a problem hiding this comment.
If we don't use the _[N] subscript to give the precise version of the secrets, maybe just use GroupState instead of GroupState_n ?
draft-ietf-mls-protocol.md
Outdated
|
|
||
| [[ OPEN ISSUE: The Add and Delete operations create a "double-join" | ||
| 2. Use the `key_exchange` message to produce an updated GroupState |
There was a problem hiding this comment.
key_exchange is now called GroupOperation
draft-ietf-mls-protocol.md
Outdated
| 4. Use that public key to verify the `signature` field in the | ||
| Handshake message, with the updated GroupState object as input. | ||
|
|
||
| 5. If the signature fails to verify, discared the updated GroupState |
| group must take two actions: | ||
|
|
||
| 1. Send a Welcome message to the new member | ||
| 2. Send an Add message to the group (including the new member) |
There was a problem hiding this comment.
The order is probably wrong, since the Welcome message should only be sent if the Add message succeeded. We should think some more about synchronicity issues that we want to avoid.
Ideally the Add and Welcome message are on atomic operation in which all old and new members are notified at the same time. However since the existing member now waits for the Add to be successful before sending the (rather large) Welcome, there might be edge cases when the Welcome is never sent because the inviting member went offline too early.
For now I think we should keep this as an open issue. Going forward we should consider improvements, such as splitting the Welcome into a light header that gets reliably dispatched at the same time with the Add and a larger message containing the roster and the tree.
There was a problem hiding this comment.
Note that there's an open issue for this a few lines further down. I agree that this is a tricky sync to get right. Shoving the Welcome message in the Add message might simplify this, but the cost of sending an O(N) size message to everyone seems steep.
draft-ietf-mls-protocol.md
Outdated
| * Update the group's identity tree and ratchet tree with the new | ||
| participant's information | ||
| * Increment the size of the group | ||
| * Verify the signature on the included UserInitKey |
There was a problem hiding this comment.
Obviously if the verification fails, none of the changes should be applied.
This PR reflects a concrete scheme on top of #58 that implements the authentication framework discussed on the list recently. There are a few major changes:
GroupStatestructure that is incorporated into the key schedule and signaturesWelcomemessage that provisions a new member with roster and tree information