From: Michael Rogers <m--@gm...> - 2012-03-23 10:49:42
I think we're getting close to a version of BTP that can be written up
and submitted to a security conference. Here are the features I think we
should include in that write-up:
* Invitations (including the initial rendezvous question raised by Ella)
* Key rotation for forward secrecy
* Simplex and duplex connections
* Introductions between contacts
* Introductions between devices (the same protocol as for contacts)
* Confirmation of contacts' keys (the same protocol as for invitations)
* A sketch of how transport properties are exchanged and updated inside
BTP connections, without going into the details of BMP
Features we haven't addressed yet:
* Mutual contact discovery (for making repeaters available to contacts)
* Device revocation
* Contact revocation
* Panic button notifications
Repeaters and mutual contact discovery could be a separate paper.
Contact revocation may be tied up with our assumptions about how people
will use Briar and what kinds of relationships contacts will have - we
should probably try to make those assumptions explicit before specifying
any mechanisms. Likewise for panic button notifications.
Device revocation may be an easier place to start. Ben had a great idea
involving secret sharing, although that might also require us to clarify
some assumptions about trust between contacts. Perhaps we should start
with the easiest case: I still have control of one of my devices. How do
I revoke my other device, and any devices it may have introduced to my
contacts since I lost control of it, bearing in mind that whoever now
controls that device can do the same to the device I still control?
Straw man proposal: I send a message to all my contacts that has the
meaning "Don't trust any of my devices (including this one) until I've
re-introduced them face to face". This works, but it's a total pain. How
can we improve it?
From: Michael Rogers <m--@gm...> - 2012-03-23 17:52:54
On 23/03/12 10:49, Michael Rogers wrote:
> Straw man proposal: I send a message to all my contacts that has the
> meaning "Don't trust any of my devices (including this one) until I've
> re-introduced them face to face". This works, but it's a total pain. How
> can we improve it?
A second pass:
To revoke one or more of my devices, I send all my contacts a BMP
revocation packet listing the devices that are still trusted. Any
devices not listed in the packet are quarantined. Connections from
quarantined devices are still accepted, but all BMP packets other than
revocation packets are ignored.
Quarantine makes it possible to send conflicting revocation packets from
different devices, so if someone steals my phone and immediately revokes
my laptop, I can still use my laptop to revoke their phone.
Each contact gossips the packet among her own devices. Perhaps the
packet has a text field for an explanation, since ordinary private
messages won't be accepted from quarantined devices.
A quarantined device can be removed from quarantine by repeating the
face to face invitation protocol, which establishes a new shared secret.
Other devices can then be re-introduced by repeating the device
introduction protocol, which doesn't have to be done face to face.
*Possibly* we should allow contacts to remove devices from quarantine
manually, but I feel like that might open the door to social engineering