Barking Up The Ratchet Tree – MLS Is Neither Royal Nor Nude
17 points by fanf
17 points by fanf
I don’t know enough to have an opinion on this, so I won’t offer one, but I do wish there were some more comments to help explain the issue.
Since you asked: you want to have a group chat with your friends Alice and Bob.
MLS lets you agree on a group key with the holders of some private keys K and L.
Soatok emphasizes that MLS is useful building block for a group chat service, but agrees with the original blog (“MLS: the naked king…”) that linking keys K to Alice and L to Bob (“Authentication Service”) matters, and adds that actually encrypting messages is also important.
Ultimately, Soatok thinks that the original blog is mostly “misunderstanding” MLS, but does wonder how to improve (“science”) communication to avoid such misunderstandings in the future.
So, I guess the question I really wanted answered is, can Bob’s Authentication Service join new chats as Bob, and possibly join existing chats as a new device for Bob, as the original article alleges? Or is the point of Soatok’s article that that’s implementation dependent/unspecified and not a consequence of the spec, and no one would knowingly create an implementation where that’s possible?
I think the authors wanted to warn you about some pitfalls of using a badly-designed authn service, but didn’t want to try to tackle designing such a service as part of MLS. So they left authn as a user-provided black box and added some warnings about being careful. And I think Soatok is saying this caused confusion, where “unspecified but be careful” was interpreted as “deliberate security hole”.
Or is the point of Soatok’s article that that’s implementation dependent/unspecified and not a consequence of the spec, and no one would knowingly create an implementation where that’s possible?
This one. Specifically that it’s treated as a black box that you can fill in based on your trust/threat model. There are various approaches, the article calls out their proposal for the Fediverse e2ee using key transparency (if I understood it correctly), which has a detailed threat model analysis that seems to make quite strong claims at a glance (I’m clueless though).
no one would knowingly create an implementation where that’s possible.
I could easily see an internal or more static system allow that, or already have some trusted authentication to integrate.
The author of the original blog post is the founder of SimpleX, a Signal competitor that also don’t use MLS.