Re: [webrtc-encoded-transform] Integration of SFrameTransform and MLS (#114) from Richard Barnes via GitHub on 2021-08-11 (public-webrtc-logs@w3.org from August 2021)

From: Richard Barnes via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Aug 2021 19:29:29 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-897093116-1628710168-sysbot+gh@w3.org>

For context, the [MLS integration with SFrame](https://github.com/bifurcation/sframe-mls/blob/main/draft-barnes-sframe-mls.md) replaces manual per-stream keying with a more automated scheme that derives per-sender keys from a single key exported from MLS. It also provides new keys to SFrame when the MLS epoch changes (e.g., because of a join or leave).

That means that a web app that wants to do MLS+SFrame needs the following parts:

1. Export a key from the MLS context
2. Derive SFrame keys according to the MLS+SFrame spec
3. Configure SFrame senders/receivers

The current SFrameTransform does (3); presumably a future WebMLS thing would do (1). The question is where (2) resides, and in particular, whether it needs to be in SFrameTransform in order to keep the keys isolated from JS (our ultimate goal here), or whether it can be done in JS.

To be doable in JS while keeping the keys isolated from JS, all of the CryptoKeys involved would need to be have `extractable = false`, including the keys exported from MLS, the keys imported to SFrame, and any intermediate values. I haven't worked through all the details, but IIRC, WebCrypto supports enough derivation functions from non-extractable to non-extractable that this could probably be made to work.

The unfortunate thing is that WebCrypto also allows you to derive an extractable value from a non-extractable one, and vice-versa. So if the browser were going to try to assure that the SFrame keys were never exposed to JS, it would need to track the whole history of a key to make sure that none of its antecedents were available to JS. This might be a useful thing to add to WebCrypto, and not super complicated, but it doesn't exist today.

So there's still a case to be made for doing the key derivation within the browser, inside one API context or another. In addition to the above security concerns, it's more ergonomic. If we had some sort of API where you connect an MLS context and an SFrame context, we could put the key derivation logic in one of those contexts.

--
GitHub Notification of comment by bifurcation
Please view or discuss this issue at https://github.com/w3c/webrtc-encoded-transform/issues/114#issuecomment-897093116 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 11 August 2021 19:29:30 UTC