On 10/10/14 23:09, Trevor Perrin wrote: > On Fri, Oct 10, 2014 at 1:21 PM, Ximin Luo <[email protected]> wrote: >> On 10/10/14 21:06, Trevor Perrin wrote: >>> [1] https://moderncrypto.org/mail-archive/messaging/2014/000372.html >>> >> >> This [1] doesn't achieve consistency. I tried to explain why both in its >> "next message in thread" and in the first post of this thread, but it looks >> like my warnings are falling on deaf ears; here is a more concrete example: >> >> A: (1) Who wants ice cream? (last-message-seen: 0) >> A: (2) Who wants to kill the president? (last-message-seen: 1) (sent to >> everyone, *except B*) >> B: (3) No thanks... (last-message-seen: 2) >> C: (4) Me! (last-message-seen: 3) > > Thanks for the concrete example. > > It would be great to have a list of cases like this so we could > compare how different proposals handle them. > > In this case, with Moxie's proposal, C is warned about the missing > message before saying "Yes!". And anyone reading the (obviously > ambiguous) transcript could long-click on C's "Yes!" and see what it's > responding to. > > Maybe that's good enough, maybe it's not. A better taxonomy of > possible issues and proposals would help make these comparisons. >
Here is another example of an attack scenario. Hopefully, this demonstrates more obviously, that the [1] scheme proposed makes certain consistency attacks invisible to some of the victims: Alice: (1) So let's discuss Dual EC DRBG (last-message-seen: 0) # to everyone except David Alice: (1A) So let's discuss Fortuna (last-message-seen: 0) # to David only Bob: (2) Do you think this RNG is suitable, David? (last-message-seen: 1) # to everyone # David is feeling lazy today and doesn't want to wait for the warning to disappear nor to slow down the conversation. # Besides, nothing bad happened with the last 37 warnings. Also, Bob is a totally trustworthy friend, right? David: (3) Yeah it's suitable, let's go with that. (last-message-seen: 2) # to everyone Alice: (4) OK, sounds good. Team, you heard our advisor. Make it so! (last-message-seen: 3) Everyone else except David sees 1<-2<-3<-4 with no warnings. David unilaterally decided the warning wasn't important enough to bother acting upon, resulting in everyone being screwed. That is, if you want consistency under the [1] scheme above, it is not enough for *you yourself* to react properly to warnings, but you have to rely on *other people* to react appropriately too. If the user cannot react out-of-band to the warning, then (to guarantee consistency) he must wait until the warning subsides and he has "seen all messages" before a certain message. However, this is not guaranteed to ever happen - for example, if someone sends messages 1, 2, 3, 4, 5,..., and the receiver gets them in this order: 1, 3, 5, 2, 7, 4, 9, 6,... then at no point in the sequence is the user "missing no messages". The above sequence is (1, 3, 5, 7, ...) offset-and-interleaved with (2, 4, 6, ...), but one can imagine other sequences that have the same property. X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
