Day three of the 113th IETF meeting, in Vienna Austria.
Messaging Layer Security (MLS) is (finally) closing in on Last Call at protocol Draft 14 and architecture Draft 7 (which will be taken forward together). Sometimes referred to as the TLS for messaging systems, Messaging Layer Security creates a uniform secure group discussion protocol, scalable to very large groups and providing similarly uniform security guarantees across providers. The near completion of the architecture and protocol drafts, and commencement of interoperability testing has prompted the Working Group to dust off the Federation draft as the next object of their affection. Will I be able to connect my Wire client to the Facebook Messenger server? Don’t hold your breath, but in the meantime you’ll be able to enjoy the manifest benefits of secure group chat (with security guarantees as high as the industry knows how to produce) on your own network.
Oblivious HTTP Application Intermediation (OHAI) is another in the suite of new designs aimed at reducing misuse of the client’s IP address. OHAI is complementary to MASQUE - the former focused on transactional service protocols like DNS and OCSP queries, the latter on fully bi-directional interactive exchanges. Like MASQUE, proxies are involved (between requester and request destination) and in both cases the client (user) has to trust the proxy. However, in the case of bad-actor clients, it is imagined that the proxy will want to communicate on a side channel with its counterpart to stop things like reply attacks or other mischief via shadow banning. This, however, raises the spectre of collusion among the intermediaries - something OHAI was initially defined to avoid. There seems to be significant effort remaining on this proposal.
As mentioned in the prior post, the Human Rights Protocol Considerations(HRPC) Research Group considered a new Individual Contribution on Regional Internet Blocking Considerations. While the current geopolitical environment was the impetus for this work, the content isn’t specific to a particular event. Rather, it catalogs - for policy makers - the technical mechanisms available to withdraw geographic areas from connection to the global network, effectively de-mystifying the concept. Also via HRPC, the IETF got its first look at the idea of content provenance in the work of the Coalition for Content Provenance and Authenticity and their efforts to create specifications around this idea. Guardian Project’s pioneering ProofMode work got a shout out! Of special importance here, and perhaps more significance to IETF than the data at rest work of the specification itself, are its generally-applicable definitions in the area of Harms Modelling, readapted from work by Microsoft. This concept is core to HRPC’s research mission as defined in rfc8280 and this is the most rigor I’ve seen in defining the concept in ways that can have protocol impact.