From 82dcf3e529504d3ba5aaf3386d046808ca4e79ce Mon Sep 17 00:00:00 2001 From: Eric Rescorla Date: Thu, 21 Mar 2024 16:42:56 -0700 Subject: [PATCH] Explain the impact of unencrypted operations. Fixes #210 (#246) * Explain the impact of unencrypted operations. Fixes #210 Incorporate a revised version of @rohan-wire's text from Issue #210. Instead of telling people they should use encrypted messages, instead explain the consequences of doing so or not. * Update draft-ietf-mls-architecture.md Co-authored-by: rohan-wire <91096103+rohan-wire@users.noreply.github.com> * Update draft-ietf-mls-architecture.md Co-authored-by: Richard Barnes * Update draft-ietf-mls-architecture.md Co-authored-by: Richard Barnes * add missing parenthesis Co-authored-by: Rohan Mahy --------- Co-authored-by: rohan-wire <91096103+rohan-wire@users.noreply.github.com> Co-authored-by: Richard Barnes Co-authored-by: Sean Turner Co-authored-by: Rohan Mahy --- draft-ietf-mls-architecture.md | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/draft-ietf-mls-architecture.md b/draft-ietf-mls-architecture.md index 581e108..64b25d6 100644 --- a/draft-ietf-mls-architecture.md +++ b/draft-ietf-mls-architecture.md @@ -907,16 +907,22 @@ application could decide that a group administrator will be the only member to perform add and remove operations. On the other hand, in many settings such as open discussion forums, joining can be allowed for anyone. -The MLS protocol can, in certain modes, exchange unencrypted group operation -messages. This flexibility is to allow services to perform access control tasks -on behalf of the group. - -While the Application messages will always be encrypted, having the handshake -messages in plaintext has privacy consequences as someone could -collect the signatures on the handshake messages and use them for tracking. - -> **RECOMMENDATION:** Prefer using encrypted group operation messages to avoid -> privacy issues related to non-encrypted signatures. +While MLS Application messages are always encrypted, +MLS handshake messages can be sent either encrypted (in an MLS +PrivateMessage) or unencrypted (in an MLS PublicMessage). Applications +may be designed such that intermediaries need to see handshake +messages, for example to enforce policy on which commits are allowed, +or to provide MLS ratchet tree data in a central location. If +handshake messages are unencrypted, it is especially important that +they be sent over a channel with strong transport encryption +(see {{security-and-privacy-considerations}}) in order to prevent external +attackers from monitoring the status of the group. Applications that +use unencrypted handshake messages may take additional steps to reduce +the amount of metadata that is exposed to the intermediary. Everything +else being equal, using encrypted handshake messages provides stronger +privacy properties than using unencrypted handshake messages, +as it prevents intermediaries from learning about the structure +of the group. If handshake messages are encrypted, any access control policies must be applied at the client, so the application must ensure