View source for Talk:MpOTR/Overview
This is a threaded discussion list to collate all discourse on protocol creation, adversarial models, et al. Should you wish to contact us directly by email, please use http://equalit.ie/#contact
- [View source↑]
- [History↑]
Contents
Thread title | Replies | Last modified |
---|---|---|
Protocol name | 3 | 14:14, 30 September 2014 |
To-Dos for release candidate | 0 | 17:51, 6 August 2014 |
Transport reliability | 1 | 15:58, 4 August 2014 |
Rename "broadcast scheme" | 1 | 23:14, 2 August 2014 |
I'm hesitant about "mpOTR". 2-party OTR works well on IRC, even though messages may be dropped. But in the group setting, in order to ensure transcript consistency, you basically require reliability which IRC does not do. So the current proposal can only work for XMPP.
OTR doesn't do transparent consistency, that's why it works well on IRC :) The original mpOTR proposal consistency check also fails on IRC pretty often so that's why I think there is no harm calling it mpOTR. Beside OTR for "off the record", the important features are deniability and confidentiality (strengthen with forward secrecy) and consistency check isn't even part of the OTR concept (probably that's why it wasn't a concern in the OTR protocol).
I'm don't like mpChat, has nothing to do with confidentiality etc.
I think now that Cryptocat isn't directly under umbrella of eQualit.ie, it isn't relevant enough. Beside people has raised concern about the name and considering the situation isn't
Because we are following all requirements of the original OTR, I think it is fair to use OTR string in the name. Maybe something like what Trevor suggested makes more sense to avoid confusion from the original mpOTR paper. What about mqOTR, it is a sequel to mpOTR and has the Q from eQualit.ie and the belle province :) just a suggestion.
OK, now that we were barred from using OTR accronym, my new suggestion is mpSeQ, motivation:
1. so sound mpSec for multiparty secure (messaging). I believe we are doing more than just being off the record (authentication, consistency, etc). Being provably deniable is just another security aspect of the protocol. 2. eQ for equalit.ie. 3. It might be used for more than instant messaging, so more like multiparty communication or collaboration. So "messaging" part is less crucial to appear in the name.
Ximin Luo <infinity0@pwned.gg> writes: the issue is *not* merely a matter of sticking a recovery system on top of mpCAT, as you argue below. If you are not aware of *how recovery systems work*, then you may end up with a mpCAT that does things that it *impossible* to add such a system onto it.
In my opinion mpCAT should be like SSL and IPSEC, the messaging transport control protocol (MTCP) should act like TCP. The transport protocol should try to build the message tree you had in mind then a tree can be trun into a global order which can be passed to mpCat to just affirming the consistency of the global order. So basically like IP header over TCP header over SSL, we have "MTCP:blablah:3blah2blah2" then, MTCP will put the ":3blah2blah2" in correct order then pass it to mpCAT.
> for the end-to-end clients to be able to recover from message dropping, the server needs to add its own *sequence number* to messages;
I think assuming extra ordinary config/storage/abilities for the server, defeat the purpose of end-to-endness. If some participants are malicious probably you can't do much bar failing to democratic decisions or admin dictatorship. But under assumption of honesty, it shouldn't be impossible to recover the tree collectively.
> timestamps are not enough.
All I'm saying using time stamps in contrast to lexicographical ordering required in original mpOTR, makes us able to detect order tampering, in optimistic way. It wasn't about recovery.
> if he is told "all future messages may not be consistent".
No by reset, I meant it says some line between message x and y isn't consistence and we are restarting consistency check so you all are consistence after message y.". (an easily implementable compromise is to reset consistency digest at each group key exchange, I'll add that if nobody objects).
> Perhaps there is some confusion over one of our goals. One nice goals is to end up with a transport agnostic protocol, that
Again, in my opinion the MTCP should run in a lower layer than mpCat like TCP, that is how we can be transport agnostic. However, I think there is a general consensus that async is off the table for now.
By "broadcast scheme", this refers collectively to the peer-to-peer pairwise broadcast, or the "sender keys" optimisation on top of it. I think "broadcast scheme" is too generic and confusing. How about "p2p-broadcast", "full-broadcast", "sender-broadcast", or "member-broadcast"?
I also disagree with "Each participant will have its own different $plist_i$ which is able to broadcast too.". In all schemes, every member should eventually reach the same plist as everyone else. In all schemes, there will be a period where different members have different plists - e.g. even in the GKE case, some members will receive the final round of the GKE earlier than others, so switch to the new plist earlier than those others.
The key difference is that in the p2p-broadcast case, (optionally) members are able to *provisionally send* to the new plist earlier than some other members do, without receiving a key confirmation (and with a forward secrecy penalty if there was an active attack).
I don't think any of those schemes are fundamentally different. The fundamental difference in threat model (and in implementation) is can we start sending message before everybody a reach same view of the room or not.
Original mpOTR doesn't allow it and it is much simpler in implementation and we have security proof for it. My guess is that it doesn't make a huge difference in user experience in majority of xmpp usages. It is also not hard to tweak the code and algorithm to fall back to the different view scenario, that is why I prefer to go with that.