[Mimi] Re: Call for adoption: draft-interop-mimi-discovery-requirements-01
Eric Rescorla <ekr@rtfm.com> Sat, 28 September 2024 17:58 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: mimi@ietfa.amsl.com
Delivered-To: mimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F0C5C14F619 for <mimi@ietfa.amsl.com>; Sat, 28 Sep 2024 10:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_FILL_THIS_FORM_SHORT=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYp9aw3YKOOS for <mimi@ietfa.amsl.com>; Sat, 28 Sep 2024 10:58:51 -0700 (PDT)
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 788C3C14F616 for <mimi@ietf.org>; Sat, 28 Sep 2024 10:58:51 -0700 (PDT)
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-6e235a61bcbso17023397b3.1 for <mimi@ietf.org>; Sat, 28 Sep 2024 10:58:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1727546330; x=1728151130; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=aNZQrLS11FDPb1mVY3jAAMFJIm2wpwxDyJw88TIqfWY=; b=nir4PVf0SuRan6KANzY7PJ9VO+mBdqifuUaDMox/uwH3p3zNsSrHWpsMOWu3ZPaYix uUZVREIDXAwDXyQJc7VdmkC3nt7k9hZRIN1J2Wl+aS+LwN0JQ8hc6Mv4ReYsV83kVzAy 4iVGI/lh9LAvOGN1HmYGQBRnQBgfHvCdlAvfpUXrGWr2q/CM6L10uutoZdrB8JxZ+XRU ZFe7Z/GPirAwocn6PNueRhU82pPop/LanQ+UoOBgLFAA6SuLcrhJej5OrKojxPM970SV KpAAYklflrTzfi1i1WtAohElDeCfAsYeVY5BLePaUSp3hPwVb+9/rrC2zJtDMNdHqVG/ xwKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727546330; x=1728151130; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aNZQrLS11FDPb1mVY3jAAMFJIm2wpwxDyJw88TIqfWY=; b=V2rRKogDLmLkW6Vye7h2/+9dnlE28x/TAQxzUg5ITNMIR3aVLQwC9Cl+syaelj2iQD VbVw2+pN0pnzQovXe4ec6b4wK6liPCoZgWLxglA+umIoDJjIrCcfKG8FsP2P/bBeTlo/ JyF9D8ulLMdnH4gONeOc9CCn25Uc6ioa+0Zic+9TahUa1/a3+DgcD4BaPJufHBL+Kn5U +7BjIaxdQmp9VvFo/dwzw0o4IyLpm4sJbqhBi4yWmbWsWnvQ/NKDvE0CJ0HvKA7rfUw6 KohFWvFUTCcP1FGP4lxRmK32iylDmUy0eFOvL/uD6r3Bjs89EyW1JMb3V5tOHEkli/WB 2stA==
X-Forwarded-Encrypted: i=1; AJvYcCURTbKzbMaUKzkHz9OjJ3BmolNO/9UwMOsAFxkineQ+s6zED/FujnT8xaYE5OuGR5x8do7x@ietf.org
X-Gm-Message-State: AOJu0Yz8LuF+PqaO+7+bE7SOiOGV61uxI0U/1cQ/X16Szd5ADsepJOta WaEo7NEEfHqJPt/VlEYH/veiVWkTZL9/nBpW2CwQxAHjUS3/LVzggFVAztswvpZNfyvPyofDCmT eyVNcJ6Xwt5EZgrbgLpUnSZtwRjjE81mej0zRfjkihHInogc0xrM=
X-Google-Smtp-Source: AGHT+IFS3lRpHr+JiCoxCT3YkMTD3iZZFo9bCer0oRx+vcV0OeijTU1pULv/W/j8ApgzWDaABB87xA3qhFmZNEPvZiA=
X-Received: by 2002:a05:690c:d95:b0:6db:e069:b76f with SMTP id 00721157ae682-6e24531af34mr49486147b3.9.1727546330246; Sat, 28 Sep 2024 10:58:50 -0700 (PDT)
MIME-Version: 1.0
References: <CC0A70E4-AC10-436D-9013-0D7A08F4055B@cooperw.in> <CAL02cgSxoZr7c+xh6=+MHFEUQ2xGr=CAFOaeh6HZGqOKThWuVA@mail.gmail.com>
In-Reply-To: <CAL02cgSxoZr7c+xh6=+MHFEUQ2xGr=CAFOaeh6HZGqOKThWuVA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 28 Sep 2024 10:58:13 -0700
Message-ID: <CABcZeBNHL_f5-aYUsiajPoO6HwPqW79OUvH+2j7_4-x2o1OC=Q@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="00000000000059122a062331b9e8"
Message-ID-Hash: X6TCABEG6PPSQ2OESCL5NZI4P7BLOBFG
X-Message-ID-Hash: X6TCABEG6PPSQ2OESCL5NZI4P7BLOBFG
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Alissa Cooper <alissa@cooperw.in>, mimi@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Mimi] Re: Call for adoption: draft-interop-mimi-discovery-requirements-01
List-Id: More Instant Messaging Interoperability <mimi.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mimi/FjTN-hykhzUhury0iE-QTqQcfr4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mimi>
List-Help: <mailto:mimi-request@ietf.org?subject=help>
List-Owner: <mailto:mimi-owner@ietf.org>
List-Post: <mailto:mimi@ietf.org>
List-Subscribe: <mailto:mimi-join@ietf.org>
List-Unsubscribe: <mailto:mimi-leave@ietf.org>
BLUF I don't think this is ready. I recognize that this is just a starting point and the authors have put in a fair amount of work here, but I think this does need to be somewhat closer to the right thing before we adopt it. I share many of Richard's reservations about the document structure. More broadly, I just think much of the document is at the wrong altitude, addressing specific implementation techniques (in some cases rooted in some IMO misguided architectural ideas) rather than focusing on the actual externally visible requirements. For example in S 6.1. 3. The client, MSP, and DP must collaborate to generate a verifiable representation of the CSI-to-MSP mapping (e.g., using a threshold signature). The can then be shared with any DP and verifiable by clients. This is a specific attempt to implement some binding properties, but what are those properties actually? I believe it's that: - There is a user who has been assigned a given CSI - That user also has an account at the given MSP [and something about the MSP knowing about the CSI]. Note that it's somewhat hard to precisely state these because in some designs the CSI -> SSI mapping is actually only attested to by the MSP. (As an aside, it would actualy be nice if the document came down on if tht's OK). In any case, it's not clear that the client, MSP, and DP need to collaborate in order to generate a verifiable representation, and it's odd to mention something as detailed as threshold signatures here. Similarly, it's not clear that a "proof of possession" (see S 6) is quite what is needed here; I would typically not think of OAuth as PoP. Many of the rest of the requirements are also too detailed. For instance S 7.1. is a sketch of a design for a system, rather than really a set of requirements. 3. The total length of tags should be limited within the protocol. 4. If a CSI's set of mappings lacks a default mapping or multiple mappings have the "Default" tag, the recipient can choose any of the mappings for communication. On the other hand, privacy has been the topic of a lot of discussion, but the text here is fairly sketchy: Discovered mappings must be verifiable to ensure they are accurate. Crucially, discovery must prioritize user privacy, allowing users to control their discoverability, and it must integrate well with end- to-end encryption and other MIMI protocols. OOTH S 8.4. doesn't talk about concealing mappings at all, so are they public or not? I think this document would benefit from being a lot shorter and just focusing on the actual high level requirements of the system rather than trying to get into how they are implemented. I would suggest going back to Richard's sketched split authentication/discovery architecture and trying to frame requirements with that as a reference. I'd like to see that or something else happen before adoption. Otherwise, I fear that there will be an implicit presumption that this structure is correct and it will be hard to fix later. On Thu, Sep 26, 2024 at 11:19 AM Richard Barnes <rlb@ipv.sx> wrote: > Hi all, > > I have reviewed this document. I think it's a reasonable starting point, > though I have some reservations about its structure and content. Comments > below. > > --Richard > > Traditionally, the Terminology section goes after the Introduction. It's > a little abrupt to land right there after the abstract. > > "A Cross-Service Identifier (CSI) is a globally unique identifier..." - > The "globally unique" seems aspirational here, and should probably be > deleted. It seems like you could definitely have cases where the same CSI > is bound to completely unrelated SSIs, for example: > 1. Alice is assigned a given E.164 number > 2. Alice registers the number with Service A > 3. Alice surrenders the number and it is reassigned to Bob > 4. Bob registers the number with Service B > > This document is very agnostic about what the CSIs are, but practically > speaking, we're only talking about email addresses and phone numbers. > Would there be benefit to specializing to those two? Even if we also have > a section about what would have to be done to accommodate a new identifier > type. > > There are a few instances where more plurals are needed, for example, > "learn the messaging service provider that the user is using" -- the user > could be registered to multiple MSPs with the same CSI. > > While I appreciate the desire to capture the WG discussions about > architectural models, these seem out of place in a requirements document, > except possibly for building intuition about possible models. I would > probably move Section 4 to an appendix or delete it. > > It would be helpful to have a more fleshed-out model of the system, in a > more abstract way than Section 4 provides. Roughly: > * MSPs make DPs aware of authenticated SSI->CSI mappings > * Clients/MSPs request SSI->CSI mappings from a DP (possibly different > from the DP in the previous step) > > In prior discussions we had made a distinction between entities who are > trusted to *authenticate* mappings and those who *distribute* the > mappings. This document seems to assign both of those roles to a DP. It > seems worthwhile to separate them, since it seems plausible that there > could be a system where the two roles are played by different entities, > much like CAs and web servers in HTTPS. > > The requirements in Section 5 are a mix of requirements on the discovery > protocol, over which this WG has full control, and requirements on the > actors in the system outside the protocol, about which we can only be > advisory. It would be good to separate these out, and ideally focus on the > former. > > The privacy requirements in section 8.4 seem very underdeveloped compared > to what has been discussed in the working group. In part, I suspect, > because of the lack of a model of who does what here makes it hard to talk > about who can be denied which information. > > > > > On Wed, Sep 18, 2024 at 12:40 PM Alissa Cooper <alissa@cooperw.in> wrote: > >> We are issuing a WG adoption call for MIMI Discovery Requirements, >> draft-interop-mimi-discovery-requirements-01 [1]. This document would be >> the starting point for the WG to fulfill its "user discovery requirements >> document” milestone. [2] Please respond to the list by the end of your day >> on Wednesday, September 25 to indicate if you support or oppose WG adoption >> of this draft. >> >> Thanks, >> Alissa >> >> [1] >> https://www.ietf.org/archive/id/draft-interop-mimi-discovery-requirements-01.html >> [2] https://datatracker.ietf.org/group/mimi/about/ >> -- >> Mimi mailing list -- mimi@ietf.org >> To unsubscribe send an email to mimi-leave@ietf.org >> > -- > Mimi mailing list -- mimi@ietf.org > To unsubscribe send an email to mimi-leave@ietf.org >
- [Mimi] Re: Call for adoption: draft-interop-mimi-… Richard Barnes
- [Mimi] Re: Call for adoption: draft-interop-mimi-… Eric Rescorla
- [Mimi] Re: Call for adoption: draft-interop-mimi-… Femi Olumofin
- [Mimi] Call for adoption: draft-interop-mimi-disc… Alissa Cooper
- [Mimi] Re: Call for adoption: draft-interop-mimi-… Jonathan Rosenberg
- [Mimi] Re: Call for adoption: draft-interop-mimi-… Eric Rescorla