From 3927878f71ee419ed9db36732ea9a11c666bb748 Mon Sep 17 00:00:00 2001 From: EKR Date: Sat, 27 Jul 2024 15:41:43 -0700 Subject: [PATCH 1/2] Address comments from Yoav Nir and Rohan Mahy --- draft-ietf-mls-architecture.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/draft-ietf-mls-architecture.md b/draft-ietf-mls-architecture.md index 064fe26..d5a6f7d 100644 --- a/draft-ietf-mls-architecture.md +++ b/draft-ietf-mls-architecture.md @@ -1418,12 +1418,13 @@ MLS provides additional protection regarding secrecy of past messages and future messages. These cryptographic security properties are Forward Secrecy (FS) and Post-Compromise Security (PCS). -FS means that access to all encrypted traffic history combined with access to -all current keying material on clients will not defeat the secrecy properties of -messages older than the oldest key of the compromised client. Note that this -means that clients have the extremely important role of deleting appropriate -keys as soon as they have been used with the expected message, otherwise the -secrecy of the messages and the security for MLS is considerably weakened. +FS means that access to all encrypted traffic history combined with +access to all current keying material on clients will not defeat the +secrecy properties of messages older than the oldest key of the +compromised client. Note that this means that clients the appropriate +keys as soon as they have been used with the expected message, +otherwise the secrecy of the messages and the security for MLS is +considerably weakened. PCS means that if a group member's state is compromised at some time t1 but the group member subsequently performs an update at some time t2, then all MLS @@ -1967,7 +1968,7 @@ and identities. If the signature keys are reused across groups, the adversary can get more information about the targeted user. > **RECOMMENDATION:** Ensure that linking between public keys and identities -> only happens in expected scenarios. Otherwise privilege a stronger separation. +> only happens in expected scenarios. ## Considerations for attacks outside of the threat model From fdb4ab1718b07c6ad5d16abb513020603bdb870d Mon Sep 17 00:00:00 2001 From: Eric Rescorla Date: Sat, 27 Jul 2024 16:02:18 -0700 Subject: [PATCH 2/2] Update draft-ietf-mls-architecture.md Co-authored-by: Rohan Mahy --- draft-ietf-mls-architecture.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-mls-architecture.md b/draft-ietf-mls-architecture.md index d5a6f7d..0093257 100644 --- a/draft-ietf-mls-architecture.md +++ b/draft-ietf-mls-architecture.md @@ -1421,7 +1421,7 @@ Post-Compromise Security (PCS). FS means that access to all encrypted traffic history combined with access to all current keying material on clients will not defeat the secrecy properties of messages older than the oldest key of the -compromised client. Note that this means that clients the appropriate +compromised client. Note that this means that clients have to delete the appropriate keys as soon as they have been used with the expected message, otherwise the secrecy of the messages and the security for MLS is considerably weakened.