-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authn v2 #59
Authn v2 #59
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Globally I think this goes in the right direction but I have a few concerns:
- I am fine with removing
GroupAdd
for now
- I would have preferred to keep the paragraph on TreeKEM
- Even though I understand factoring out everything into
GroupState
structure can be helpful, we should avoid using it for everything (like in the Key Schedule and Handshake messages <> Add) when we only need to use specific information. I think it was better before.
draft-ietf-mls-protocol.md
Outdated
|
||
* The `group_id` field is an application-defined identifier for the | ||
group. | ||
* The `size` field represents the total number of key-exchange slots |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't mean anything... does it represent the maximum numbers of participants in the group ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, this can be eliminated, since it can be derived from the length of the tree
vector.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is still in the text...
draft-ietf-mls-protocol.md
Outdated
in the group, whether or not these slots are currently occupied. | ||
* The `epoch` field represents the current version of the group key. | ||
* The `roster` field contains credentials for the occupied slots in | ||
the tree, including the identity and public key for the holder of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean by "identity and public key for the holder of the slot". Do you mean the current signature and encryption public keys ?
(signature pubkey, which is currently the long term identity key in the rest of the text)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Public key" == "Signature public key". ("Identity" is whatever opaque string the application assigns) Note that because this state can change, we're not committed to using long-term identity keys.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/public key/signature public key/
still needs to be implemented, it is unclear otherwise
draft-ietf-mls-protocol.md
Outdated
@@ -281,45 +281,9 @@ A B C Directory Channel | |||
|
|||
Subsequent additions of group members proceed in the same way. Any | |||
member of the group can download an InitKey for a new participant | |||
and broadcast a GroupAdd which the current group can use to update | |||
and broadcast an Add which the current group can use to update |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: "an Add message"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the overall direction seems good. Have few nits overall , but given we will be discussing the content at the interim , LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @bifurcation ! I still think we should NOT use the entire group state everywhere in the key schedule but only what we need to get the cryptographic security properties we want, so I would prefer holding that change for a next iteration... Other than with fixes you marked as resolved, I think this is good to go 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you are almost good to go here... : )
draft-ietf-mls-protocol.md
Outdated
|
||
* The `group_id` field is an application-defined identifier for the | ||
group. | ||
* The `size` field represents the total number of key-exchange slots |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is still in the text...
draft-ietf-mls-protocol.md
Outdated
in the group, whether or not these slots are currently occupied. | ||
* The `epoch` field represents the current version of the group key. | ||
* The `roster` field contains credentials for the occupied slots in | ||
the tree, including the identity and public key for the holder of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/public key/signature public key/
still needs to be implemented, it is unclear otherwise
draft-ietf-mls-protocol.md
Outdated
@@ -924,16 +882,11 @@ proceeds as shown in the following diagram: | |||
Update Secret -> HKDF-Extract = Epoch Secret | |||
| | |||
| | |||
+--> Derive-Secret(., "msg", ID, Epoch, Msg) | |||
+--> Derive-Secret(., "msg", GroupState_n) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we don't use the _[N]
subscript to give the precise version of the secrets, maybe just use GroupState
instead of GroupState_n
?
draft-ietf-mls-protocol.md
Outdated
|
||
[[ OPEN ISSUE: The Add and Delete operations create a "double-join" | ||
2. Use the `key_exchange` message to produce an updated GroupState |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
key_exchange
is now called GroupOperation
draft-ietf-mls-protocol.md
Outdated
4. Use that public key to verify the `signature` field in the | ||
Handshake message, with the updated GroupState object as input. | ||
|
||
5. If the signature fails to verify, discared the updated GroupState |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
discared -> discard
group must take two actions: | ||
|
||
1. Send a Welcome message to the new member | ||
2. Send an Add message to the group (including the new member) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The order is probably wrong, since the Welcome
message should only be sent if the Add
message succeeded. We should think some more about synchronicity issues that we want to avoid.
Ideally the Add
and Welcome
message are on atomic operation in which all old and new members are notified at the same time. However since the existing member now waits for the Add
to be successful before sending the (rather large) Welcome
, there might be edge cases when the Welcome
is never sent because the inviting member went offline too early.
For now I think we should keep this as an open issue. Going forward we should consider improvements, such as splitting the Welcome
into a light header that gets reliably dispatched at the same time with the Add
and a larger message containing the roster and the tree.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that there's an open issue for this a few lines further down. I agree that this is a tricky sync to get right. Shoving the Welcome message in the Add message might simplify this, but the cost of sending an O(N) size message to everyone seems steep.
draft-ietf-mls-protocol.md
Outdated
* Update the group's identity tree and ratchet tree with the new | ||
participant's information | ||
* Increment the size of the group | ||
* Verify the signature on the included UserInitKey |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Obviously if the verification fails, none of the changes should be applied.
This PR reflects a concrete scheme on top of #58 that implements the authentication framework discussed on the list recently. There are a few major changes:
GroupState
structure that is incorporated into the key schedule and signaturesWelcome
message that provisions a new member with roster and tree information