IETF Logo Mail Archive

[Mimi] Brendan's Partition Keys (was Re: Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol)

Rohan Mahy <rohan.mahy@gmail.com> Fri, 29 March 2024 05:14 UTC

Return-Path: <rohan.mahy@gmail.com>
X-Original-To: mimi@ietfa.amsl.com
Delivered-To: mimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85072C1840E2 for <mimi@ietfa.amsl.com>; Thu, 28 Mar 2024 22:14:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ku9XmoQTocE2 for <mimi@ietfa.amsl.com>; Thu, 28 Mar 2024 22:14:49 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9131CC1840DF for <mimi@ietf.org>; Thu, 28 Mar 2024 22:14:44 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-56829f41f81so2356191a12.2 for <mimi@ietf.org>; Thu, 28 Mar 2024 22:14:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711689282; x=1712294082; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WtzVev1wbOKh3iny4xWa9f6wJ3EXctzjq5ooHjW0250=; b=E2qncVIZZdwd7OAsxIsBlkNhW2INQfEYZIcuZgNBCGifAXWGQr1wLwph21hFdspcoB fa+NQCn8il+sLXyo5IXjyGSTc+YSPNZiNt/G7LCkeFVO6kBRpZG53B6h+L6ZgXyK4p6l ZeI/aar2WD0GNSJ1vtfm8t/lRSwcynzakrSDXl0Ik/ppwBg+DVGCmWKod99pifBEdCCA AjdZ9qmHzXm3NGkZMmWNu9LvMarZzw22u3P+Wu4vFf/PD8MP+N4/JlT4qSoNmQQDM9Mv Usz4Y2n495YrvdOYcgXgm3XwMoFjeMpLJxWBbsaUDtM3QSUtROq9x6/6SCgRowx1JiWQ zw2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711689282; x=1712294082; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WtzVev1wbOKh3iny4xWa9f6wJ3EXctzjq5ooHjW0250=; b=NPei6k3wBnefzV829Osfu0+hbCMZr2TFhRq/Yv7wpAnEorBmbST9gBAF0sYDEteQM3 Vx5SQQYkPFRUVLUZQ2gViOeBrSyZ6g+tU/H415Ikzu7hqMHO85Lz8FWfXVVVQ1DJxjnG VfcUmZU5w50v7Y43gINew4hSwCR39T/P5GbaH4Ry3Lv5DSdLJJXVHmXs4mUZhoZenavH kk5TdNRO17coivFgRXMfuYItUh7kbUl70bIYYeW1/4kSxykaznhxA088AJBi+G2kbyFe 09RiEKTzM17QmP8bWRDlFSM/ICdbuXFL6tnzUJEdnnacLYMpWYbxiRAuhPzraBtSbhyj EYYw==
X-Gm-Message-State: AOJu0YwylHETDrxoYPwEJFyr244CHGYEz2UzmS3rwn1fiQRwXKVxO7Y/ w0q7dZbS0QJR06wlC6N/wzpd71GWF+aKL0rStgWVzBBilWCIGg3gIBmSTiqriiyCS61L6J/dX8I 0KYzC4iLiXQtYx0JCa5oAwtbvalMTOBt3HCc=
X-Google-Smtp-Source: AGHT+IFo1N4+/O1EL+666RzIzJseKfBzQJgmTKL6yCAkp7TGYkJ++BaRFC2Hanf9uNmTKh6bDzDqX/EBNbjdmHsJEvU=
X-Received: by 2002:a50:d7d9:0:b0:568:180a:284b with SMTP id m25-20020a50d7d9000000b00568180a284bmr607872edj.37.1711689281739; Thu, 28 Mar 2024 22:14:41 -0700 (PDT)
MIME-Version: 1.0
References: <8C305FF1-41E2-4E60-94CF-B15A5EEBFC03@cooperw.in> <CAKoiRuYse46M5TiCoCgMhuW=MZrAmfJf0KUkZGX20PJVUmM66Q@mail.gmail.com> <CANd9WG55weUzkDA5MjKxS8cEg=dAaqVOyEsVxEO7p0wA7J7yNw@mail.gmail.com> <CAMRcRGT_hqdO_AEg4oHgmN_sFrpQoPyxuU20Snt1S1Y5ym0qHA@mail.gmail.com> <CAJTd26JOvqpuakznGK5dqUEX2wW1FhvS==Zk+oZKvWgtq+cPFg@mail.gmail.com> <CAL02cgTd=5GCcLpKqB5=XgFq-geUuFrFW-2Cu84F7=3QLdTdLA@mail.gmail.com> <54e875bb-6a35-4879-b7f7-2a33da96b4b4@cs.tcd.ie> <CAKoiRubSCrRrAxDDmpLC8xUdzk3eNUOxBSz0ra6vi_qf95Jvcg@mail.gmail.com> <CAJTd26+pSCwjbQLAQyjMG73tDMPSwFTVt-ZaSOvDtokNXxZazw@mail.gmail.com> <CAKoiRuZ73o7aK8aX8WTArHujy_6EYaGoQqnWfzO_a1-ihrb0rw@mail.gmail.com> <CAJTd26+sZEAvMxk8uS2RJMk+ffFdCAYdgFnYq9Y7t9rJC2cuyA@mail.gmail.com>
In-Reply-To: <CAJTd26+sZEAvMxk8uS2RJMk+ffFdCAYdgFnYq9Y7t9rJC2cuyA@mail.gmail.com>
From: Rohan Mahy <rohan.mahy@gmail.com>
Date: Thu, 28 Mar 2024 22:14:30 -0700
Message-ID: <CAKoiRuY72u2UT4ThToYFZY6QHa2UgpxH-iXZiKP1pPd4AANt3w@mail.gmail.com>
To: Brendan McMillion <brendanmcmillion@gmail.com>
Cc: mimi@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009aa4320614c5b724"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mimi/32afun__BAPXOjb2YegWgJDpQnE>
Subject: [Mimi] Brendan's Partition Keys (was Re: Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol)
X-BeenThere: mimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: More Instant Messaging Interoperability <mimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mimi>, <mailto:mimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mimi/>
List-Post: <mailto:mimi@ietf.org>
List-Help: <mailto:mimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mimi>, <mailto:mimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2024 05:14:50 -0000

Hi Brendan,
I realized that the privacy keys in your gist have some negative
implications for offline use and also leak private timing information.

A partition key is a short secret exported from the MLS key schedule.
> Whenever users send or receive group messages, they provide the partition
> key for the current epoch. Messages sent with a given partition key are
> only provided to users who request to receive messages with the same
> partition key. (Exceptions may be selectively made for external commits /
> proposals, given that the sender isn't in the group yet.)


So if a user is offline and was "subscribed" to the privacy key for group
"clubhouse" in epoch 13, its RSP will receive app messages in that group
and the Commit that moves it to epoch 14, however the RSP won't request
anything for subsequent epochs while its client is offline. The hub has to
keep messages as long as the longest period that an individual client on
any of the providers can be offline. It also means a client will need
several round trips to subscribe for messages as a busy group transitions
from epoch to epoch. This is not great for the user experience, especially
if the client is on a high-latency connection.

If the RSP has relatively few users, this also leaks a lot of timing
information about when clients of the RSP are online and offline.

Thanks,
-rohan

On Tue, Mar 26, 2024 at 12:14 PM Brendan McMillion <
brendanmcmillion@gmail.com> wrote:

> Hi Rohan
>
> Sure, here's a general approach that I think would meet mimi's goals
> better: https://gist.github.com/Bren2010/d009ba8d702ae3428b31981295455f02
>
> It's hard for me to see how the pseudonyms approach could possibly be
> fruitful. If the reason for requiring PublicMessage is performance (i.e.
> having clients upload a linear amount of encrypted data is too expensive
> for them), how could a pseudonym scheme possibly authenticate a linear
> number of members with sublinear data? Say that it is possible -- why
> couldn't this same encryption scheme just be applied directly to the
> ratchet tree, instead of adding a layer of indirection that risks voiding
> the security of all of MLS?
>
> If the reason for requiring PublicMessage is to support policy
> enforcement, then obviously we don't trust clients to do this themselves.
> But if we don't trust clients, the approach of inspecting handshake
> messages and trying to actively track the group state actually makes the
> protocol more brittle and vulnerable to abuse. The hub server can't verify
> group state, so a single malformed message can brick the group in
> innumerable different ways and there's nothing that can be done to recover.
> If the hub server was out of the way, instead of enforcing it's own idea of
> who's in the group and which epoch is most recent, honest clients can
> recover from malicious behavior in a straightforward way.
>
>
> On Sun, Mar 24, 2024 at 3:11 PM Rohan Mahy <rohan.mahy@gmail.com> wrote:
>
>> Hi Brendan,
>>
>> You characterized the state of the current draft as "freely" sharing a
>> lot of metadata with all the providers. I'd like to examine that a bit more.
>>
>> Assuming each client follows the recommendation in the draft to use a
>> unique pseudonym per group (this implies only joining via join/invitation
>> links or knocks), the non-local providers know the following:
>> - the authorization policy of the group (broadly),
>> - how many MLS clients from each provider are in each group,
>> - how often each client sends messages,
>> - the authorization role(s) assigned to their anonymized users, and
>> - (if they reveal it) if there are multiple devices under the same
>> pseudonym.
>>
>> While a user's local provider (which the user has chosen) is sort of
>> outside of the scope of MIMI, when it is a hub provider it will at least
>> need to disclose machine-readable privacy information for each of its
>> rooms. Each client gets to examine the room policy before they join and
>> before they accept any change to that policy. This is already way better
>> than the status quo. The metadata privacy extensions that Konrad and
>> Raphael are working on further improve the privacy situation.
>>
>> If you think this is setting the privacy bar too low, I think it would be
>> reasonable to provide an outline of how you think MIMI could provide
>> similar functionality with even less metadata. IMO this doesn't need to be
>> an I-D, but at least a page-long email with bullet points.
>>
>> Thanks,
>> -rohan
>>
>> On Sat, Mar 23, 2024 at 3:45 PM Brendan McMillion <
>> brendanmcmillion@gmail.com> wrote:
>>
>>> Providing the same privacy properties as Signal is incredibly difficult.
>>> Nobody is asking mimi to do that. However, the mimi protocol could be a
>>> neutral way for service providers to synchronize messages related to a
>>> given group. Whether a service provider chooses to receive messages in some
>>> exceptionally private way or not, would be the service provider's choice.
>>> But instead the drafts require duplicating state between the encryption
>>> layer and mimi layer, and this presupposes a certain inescapable amount of
>>> metadata leakage.
>>>
>>> On Sun, Mar 24, 2024 at 1:49 AM Rohan Mahy <rohan.mahy@gmail.com> wrote:
>>>
>>>>
>>>>
>>>> On Sat, Mar 23, 2024, 02:38 Stephen Farrell <stephen.farrell@cs.tcd.ie>
>>>> wrote:
>>>>
>>>>> Sounds like a classic loss for privacy.
>>>>>
>>>>
>>>> I argue it is the opposite. Today if you want to join a group chat on
>>>> any system other than Signal, the participants surrender much more metadata
>>>> than would be revealed to other providers under the proposed MIMI approach
>>>> with pseudonyms. In addition, the low metadata approaches (using techniques
>>>> such as privacy pass) that Konrad and Raphael are nurturing offer
>>>> substantial improvements to privacy.
>>>> If we publish a specification that requires all providers to provide at
>>>> least Signal-level metadata privacy, it is likely that we will end up with
>>>> neither interoperability nor privacy for the vast majority of users.
>>>> Thanks,
>>>> -rohan
>>>>
>>>>

v2.23.0 | Report a Bug | By Email