KEYTRANS@IETF119

Date/Time: 2024-03-20 00:00-01:30 CDT

Chairs: Shivan Sahib, Prachi Jain
Note-takers: Daniel Kahn Gillmor, Devon O'Brien

Agenda

Administrivia (10 minutes)

Presentations (80 mins)

Minutes

Architecture document

Reviewed feedback from IETF 118. New draft addresses points raised.

Overview of anonymous E2EE.

Federation

Lifecycle Management

dkg: Once you've pruned information, how do users know that there wasn't
mischeif occurring in the now missing data?
Brendan: It's difficult to answer this question. If you still need data
for monitoring, that data cannot be deleted.

Kevi Lewi: Pruning a subtree seems to violate the apped-only properties

Brendan: You never lose the append-only property when you delete
subtrees. Data needed by auditors should not be deleted. Root hash still
covers deleted data, even if that data doesn't exist on disk anymore.

Compliance with Privacy Laws

User Names

Orie Steele: Trying to understand privacy properties around VRF and
salting messages going into log. What's the role of VRF here?
Brendan: VRF maps input bytes to output bytes, which are essentially
random unless you have the VRF proof. Shows uniqueness, correctness.
When removing things to e.g. comply with privacy laws, you delete the
input key and proof. Reduces to a problem similar to password cracking.
If VRF key is compromised, can do password cracking to recover data.

Privacy

Orie Steele: Does this only apply to scenarios when you're trying to
hide userbase size?
Brendan: Yes. If you don't care, this can be leaked and you don't need
to pad. E.g. WhatsApp reports userbase numbers via separate channels.
Old approach could leak additional info such as a user's update cadence;
new one obfuscates this.

Shivan Sahib: There aren't that many issues open on GitHub. Do folks in
the room have concerns/suggestions for the doc as-is? If so, this is a
good time to raise those issues. We would like to see a protocol
document start soon, before architecture document gets published. A
protocol document would address some of the vagueness/ambiguity in
architecture doc.

Felix Linker: Ready to work on protocol design and willing to help.

no one in room coming to the mic to answer question about starting work
on a protocol doc. ~4 +1s in the chat for protocol doc

Paul Wouters: TZ and travel make it hard for some interested parties to
participate, please ask on the list and don't assume quiet in the room
means disinterest

Orie Steele: excited to start protocol work. The sooner we delve into
that, the sooner we can analyze privacy and security properties of the
overall system.

Kevin Lewi: Agreed with Orie.

Stephen Farrell: happy to review as well. How do we recover when a log
goes bad?

Brendan: if the log needs replacement, refer to my migration slides. if
the log just disappears, i don't know how we manage that.

If you still have the old log, and you can make read-only queries, it
should work to have the final root nodes.

Stephen: i'm just trying to see how this would have affected the OpenPGP
keyserver network failures.

Orie: it might depend on whether you can do reads. if write failures
happen that isn't a problem.

Stephen: we need to think about what to do when a KT log fails, part of
the lifecycle concerns.

Devon O'Brien: read-only mirroring might be a solution for other
systems, but it wouldn't work for KT.

Brendan: structurally, the KT operator might not be open to a read-only
mirror.

Shivan: is the existingn protocol document a good start?

Brendan: nope, enough changes in the architecture document mean we
probably have to start from scratch.

Prachi: can you figure out some way to get a group of authors together,
via the mailing list?

Roman: are you asking for a design team?

Prachi: let's ask for contributors on the mailing list. it might end up
being a design team, depending on how people respond.