Identity for E2E-Secure Communications

Introduction End-to-end (E2E) security protects users' communications from tampering or inspection by intermediaries that are involved in delivering those communcations from one logical endpoint to another. Almost all user-to-user communications systems today involve application-level intermediaries, such as message queues or media servers. In this context, "hop-by-hop" security refers to the security properties of the channel between the client and application-level intermediary, despite the fact that this channel may transit a number of network-level intermediaries. "End-to-end" security refers to security properties of the communications between one end client and another. Given the ubiquity of application-level intermediation, E2E security is a critical property for modern user communications systems. E2E security is typically implemented with two separate mechanisms:

E2E encryption, which establishes keys among a group of communicating clients, and authenticates them at a cryptographic level, and
E2E identity, which associates non-cryptographic attributes to the cryptographic representation of clients in the E2E encryption protocol.

Broadly speaking, E2E encryption protects against passive attacks by intermediaries. E2E identity protects against active attacks such as impersonation attacks. Both layers are required to attain a complete notion of E2E security. An overview of identity considerations for messaging systems is provided in . In this document, we describe a concrete framework for E2E identity, drawing on some initial deployment experience, and highlighting the mechanisms that need to be defined for an interoperable solution.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. We use the following terms below:

Client:: The hardware or software used by a user to interact with an E2E-secure communications system.
Communications provider:: The system of intermediaries that connects communicating clients.
Identity authority:: An entity that is trusted to make statements about the identity attributes associated to clients.
Session:: An E2E-secure interaction among clients, e.g., a Messaging Layer Security (MLS) group
Credential:: An object issued by an identity authority that associates identity attributes with a client's public key.
PKI:: Public Key Infrastructure

Operational Context and Assumptions The context in which E2E identity is implemented is shown in . It involves the following actors:

A number of clients participating in an E2E-encrypted session
- A presenting client that is claiming to represent certain identity attributes
- Verifying clients that authenticate the claimed identity attributes
One or more communications providers that facilitates communications among the clients
An identity authority that asserts identity attributes of the presenting client, and which is trusted by the verifying client to make such assertions.

Note that in most settings, each client will act as both a presenting client and a verifying client, authenticating itself and verifying the other clients in the session or group. Each client could use a different identity authority for its identity attributes.

Some E2E encrypted systems use a distributed identity authority rather than a centralized authority. While this out of scope of the MIMI working group, it is still compatible with the high-level model presented in this section.

We assume that the E2E encryption for the session is provided by means of an E2E encryption protocol such as or MLS , in which each participant is cryptographically authenticated by means of a digital signature key pair. The phrase "identity attributes" above is deliberately broad, to encompass any attribute of the client that is not directly cryptographcally verifiable. This includes technical identifiers such as DNS names or URLs, but also user-meaningful identifers such as given or family names, or names of organizations or roles.

Operational context for E2E identity | Client | | +-----------+ +----------------+ | +------------+ | Communications | | +-----------+ | Presenting | | Provider(s) | | | Verifying | | Client +-----------------------------+--->| Client | +-----+------+ | | +-----+-----+ | +----------------+ | | | | | | +-----------+ | +------------------+ Identity +----------------+ | Authority | +-----------+ ]]> In this context, the goal of E2E identity is to protect the authenticity of the binding between the presenting client's public key (which represents them in the E2E encryption protocol) and their identity attributes, against attack by the communications provider. Only a client that legitimately represents the claimed attributes should be able to cause a verifying client to associate those attributes with the first client. More succinctly, E2E identity protects against impersonation attacks by the communications provider. The architecture described here achieves this protection by means of role separation between communications provider and a centralized identity authority. The communications provider is untrusted, in the same way that network attackers are untrusted in the traditional Internet Threat Model . The identity authority is trusted to correctly assert bindings between identity attributes and public keys. This includes verifying that presenting clients control the corresponding public keys, to avoid Unknown Key Share attacks analogous to those in . There are other techniques that can reduce the trust that is placed in the identity authority, for example Key Transparency (KT) or various self-sovereign identity approaches. These approaches are generally more costly to deploy at scale compared to authority-based approaches; they also can be layered on top of an authority-based scheme. (Certificate Transparency was deployed many years after the Web PKI ). Thus the rest of this document focuses on a centralized authority-based system for E2E identity, as a baseline to which these other approaches might be added later. A secondary goal is to minimize the amount of information about the clients and sessions that is exposed to the identity authority. The identity authority should not learn which communications providers or verifying clients a presenting client is interacting with. Verifying clients use ultimately authenticated identity attributes to make policy decisions as to the security state of the meeting. For example, a verifying client may have attempted to reach the holder of the SIP URI sip:bob@example.com, and would regard the session as compromised if they were not actually connected to that entity. Or a verifying client might wish to require that all participants in a session belong to a given organization. E2E identity assures that these policies are evaluated on correct inputs.

An Architecture for E2E Identity shows the three critical steps in a system E2E identity:

Issuance: An identity authority provides the presenting client with a credential associating identity attributes to a public key.
Presentation: The presenting client provides its credential to the verifying client, along with proof that the presenting client controls the corresponding private key.
Verification: The verifying client verifies that the credential was issued by a trusted identity authority, and verifies the presenting clients proof of control of the corresponding private key. The verifying client may verify by communicating with the identity authority, or autonomously using previously configured information about the identity authority.

If all three of these steps is successfully completed, with the security properties described below, then the verifying client can safely associate the identity attributes in the credential with the presenting client.

Issuance The issuance process is similar to existing widely-deployed processes for issuing public-key credentials, such as ACME . This process results in the presenting client holding a credential that associates a public key to a set of identity attributes. So the issuance process must assure the identity authority of two things about the presenting client:

That it controls the private key corresponding to the public key
That it legitimately represents the identity attributes

In addition, to prevent unknown key share attacks (UKS), the issuance process must verify these properties jointly -- that the entity that controls the private key is the same as the entity that holds the identity attributes. These assurances are typically provided by having the presenting client create a signature with the private key over an object that reflects the identity attributes. In ACME, the client sends a Certificate Signing Request , which contains both the desired identity attributes and a signature by the client's private key.

Presentation The presentation process accomplishes two things:

It conveys the presenting client's credential to the verifying client.
It proves to the verifying client that the presenting client holds the corresponding private key.

The latter function ties the presentation process to the E2E encryption protocol being used. The credential used for E2E identity authenticates the key pair that represents a client in the E2E encryption protocol. The E2E encryption protocol will thus already include mechanisms for the presenting client to prove they hold the private key corresponding to the credential. If the E2E encryption protocol can also deliver the credential (as opposed to passing it in some other way), then in addition to simplifying application architecture, the E2E encryption protocol can provide some additional security benefits. E2E encryption protocols where the presenting client signs the credential being presented are generally immune to unknown key share attacks, even if there is a UKS vulnerability in the underlying issuance process. As a concrete example: In the MLS protocol mentioned above, each client presents its credential in a LeafNode structure that is signed with the client's private key. This structure is conveyed to the other participants in an MLS-based session when the presenting client joins the session. This provides the other participants with both the credential and a signature over the credential (and the other contents of the LeafNode) which acts as a proof of possession of the private key.

Verification A credential will typically be an object signed by the identity authority, so the verifying client will only need to know the identity authority's public key in order to verify that the credential was authentically issued by the identity authority. Credentials will typically also have some notion of expiration, e.g., the notBefore/notAfter fields in X.509 or the nbf/exp fields in JSON Web Tokens or CBOR Web Tokens . Verification at this level is simple, fast, and privacy-preserving. In some cases, though, it is necessary to have a notion of revocation of credentials. Here revocation of a credential means that the credential will no longer be accepted by verifying clients, even though the credential itself is otherwise valid (e.g., its signature is valid and it has not expired). Since the credential itself cannot reflect revocation information, a verifying client needs to get revocation information from the identity authority independently. Several design patterns for revocation have been explored in the PKI context:

Short-lived certificates with no revocation checking
Online Certificate Status Protocol (OCSP) checks by clients
OCSP stapling and the "TLS Feature" extension
Certificate Revocation Lists (CRLs) fetched by clients
CRLs fetched by vendors and redistributed to clients

The Web PKI has generally settled on central CRL fetching (5), by the following process of elimination:

Short-lived certificates are unacceptable in settings where clients might be offline for longer than the revocation checking interval.
OCSP has bad performance properties and leaks lots of information to the identity authority.
OCSP stapling with the "must-staple" extension is equivalent to short-lived certificates.
CRL fetches by clients are either highly inefficient or require complicated caching schemes that are better done centrally.

These design patterns and arguments also apply, with relevant adaptation, in the context of E2E identity. Thus, revocation mechanisms developed for E2E identity should be oriented toward centralized CRL fetching, but accounting for an important difference -- that the client vendor is often the communications service provider, and thus an untrusted actor. This means that clients will need to verify the authenticity of revocation information, and mechanisms such as CRLite will not work. Rather than having the vendor compress an uncompressed representation (as in CRLite), the revocation data provided by the identity authority will have to already be compact.

Instantiations There are a few deployed and emerging models for E2E identity that can be viewed as instantiations of the above architecture. In this section, we examine a few example cases.

Manual Verification of Key Fingerprints Many E2E-encrypted messaging apps rely on users manually comparing each others' key fingerprints for their only E2E identity assurance. This can be viewed as a degenerate case of the above architecture:

The credential is only the presenting client's public key, without identity attributes.
Each user acts as their own identity authority.
Issuance is done by the user's client generating a key pair.
Presentation comprises the E2E encryption protocol's proof of possession of the presenting client's private key.
Verification is the manual comparison of key fingerprints, the user of the verifying client confirming with the user of the presenting client that they have the same view of the presenting client's public key.

This case is degenerate in the sense that it does not actually authenticate any identity attributes; the only non-cryptographic attributes attested are those claimed by the presenting client in the verification interaction. This system is thus vulnerable to UKS attacks when the user of the presenting client abuses their position as a trusted identity authority . In reality, the vast majority of users never verify the keys of the users with whom they communicate. A handful of E2E-encrypted messaging apps also use Key Transparency (KT), effectively trusting a key on first use, and issuing a warning when new clients are added or previously known clients are replaced. This mechanism makes it easier to determine later that a communication provider actively tampered with communications, but does not cryptographically prevent it from doing so when the client was first created.

X.509 X.509 and related PKI technologies are a widely used instantiation of authority-based authentication, and map naturally in to this architecture:

The credentials are certificates.
The identity authorities are certificate authorities (CAs).
Issuance is done via issuance protocols such as ACME or EST .
Several key exchange protocols contain the required mechanics for presentation, e.g., the X509Credential mechanism in MLS.
Verification follows the process in , with revocation checking done via one of the several mechanisms discussed in .

This scheme works well for cases where a PKI is available with authorities that will attest to the required identity attributes, and where the operational context allows for certificates to be provisioned to clients. Multiple E2E-secure communications products today use this scheme.

Verifiable Credentials Certificates and PKI protocols tend to be a bad fit for authenticating user identities. Systems like SAML and OpenID Connect are more commonly used for user identity, but only produce bearer tokens, not the public key credentials required for E2E identity -- using bearer tokens for E2E identity would allow the verifying client to impersonate the presenting client! Likewise, because the verifier needs to check a bearer tokens validity directly with the issuer, the identity authority learns every verifier to whom a client authenticates. More recently, there has been work to apply the W3C Verifiable Credentials (VC) framework to this problem . The VC model aligns well conceptually with the above architecture, and some of the required protocols are in development:

Credentials would be verifiable credentials or verifiable presentations.
The identity authorities would be Issuers in the VC model. (Likewise, the presenting client would be a Holder and the verifying client a Verifier.)
The issuance process here corresponds to the issuance interaction in the VC model, for example using OpenID for Verifiable Credential Issuance
The presentation process here corresponds to the presentation interaction in the VC model, for example using an integration with the E2E encryption protocol analogous to the X509Credential integration in MLS mentioned above.
The verification process here corresponds to VC verification, using a mechanism such as for revocation.

A VC-based model for E2E identity is clearly still incomplete, but given the good conceptual alignment and potential for a better fit with user identity than PKI, it seems like a promising candidate for further development.

Secure Patterns for Internet Credentials (SPICE) The SPICE working group was chartered to develop digital credential profiles which work in scenarios with an issuer, holder (a presenter in this model), and a verifier. SPICE is clearly a natural fit for MLS credentials and MIMI identity. SPICE makes extensive use of CBOR Web Tokens , and includes support for cryptographic properties such as redaction, linkability and selective disclosure.

Requirements for Interoperable Identity The MIMI working group is focused on establishing interoperability among messaging systems. In order to have E2E identity protections in an interoperable context, the interoperating parties will need to agree on the answers to a few questions:

What E2E encryption protocol will be used? (Currently this is MLS only.)
How are credentials integrated with the E2E encryption protocol?
- How is a credential verified against a participant public key?
- What mechanisms for revocation are used (if any)?
- How are credentials associated to the encryption protocol?
What types of credentials are clients expected to be able to verify?
Which identity providers are trusted?

Most of these questions are addressed at the presentation and verification phases in the above architecture. The interoperability considerations around issuance are different: For issuance, there does not need to be a common solution across the population of clients, only between a client and the authority that issues its credential. Nonetheless, having a common, interoperable issuance interface is still valuable, since it simplifies integration between clients and authorities.

Security Considerations This document describes a scheme for authentication in E2E security contexts. Security requirements are described in , a general architecture in , and some candidate instantiations of the architecture in .

IANA Considerations This document has no IANA actions.