Re: [Mimi] Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol
Jon Crowcroft <jon.crowcroft@cl.cam.ac.uk> Wed, 27 March 2024 07:59 UTC
Return-Path: <crowcroft@gmail.com>
X-Original-To: mimi@ietfa.amsl.com
Delivered-To: mimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58725C14CE5E for <mimi@ietfa.amsl.com>; Wed, 27 Mar 2024 00:59:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.406
X-Spam-Level:
X-Spam-Status: No, score=-1.406 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZaK3AYS_hn29 for <mimi@ietfa.amsl.com>; Wed, 27 Mar 2024 00:59:53 -0700 (PDT)
Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 939E0C151063 for <mimi@ietf.org>; Wed, 27 Mar 2024 00:59:53 -0700 (PDT)
Received: by mail-ed1-f48.google.com with SMTP id 4fb4d7f45d1cf-56bf63af770so1905368a12.3 for <mimi@ietf.org>; Wed, 27 Mar 2024 00:59:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711526392; x=1712131192; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=p4EfSoLW/j/+42PCjEydsKeadH5vARlI+9jPLwCFszA=; b=MK/M0By6GlSqjNBV2hRCCxQD7DHSa7kg/n3cyNuBQETmIQ6ZGh5CeH18n93pmLC18o Ov0Cs38IKKl//cD7jhzmBCxOf4c53eSrzPcgSEROk0UO24EoYEPht4JAufGVe3FLZ16T KghpEgp0Y5tRa2qo+nJk2sQbgVuYZZi68p/WJw3XZ7T/B/n6zRt3p6qHAt7hQYnw9eai fXCwmSNho3NtGHP3TEq2VSELQLO3c6Rm5U/SZE7qieARpEAOxn6Tyc+xPBgIJYyhQDjC Y0lQSsuqg8J0BlXfuA83JoSedp+XaMSA0/G4iE86KbnVb/jNPOqylmyRN/lo+CiffuhC 4h7A==
X-Forwarded-Encrypted: i=1; AJvYcCWLY+YLF/o7SnoSbI9NU3Kg7ZqEJcR+nvkfLP/WhYJVNjv3KKUujaIS3lhCuwBMa3oOI3NMI/JnDj0lFmGS
X-Gm-Message-State: AOJu0YyAbaffvVRq6FYHjatwaIaFbcSBuWOygeAEC3qiwKT6+P8u9yam +GL/7ptGoN6QT7bp5UJwkS8oz/yNT2TgDpOCpdzcgcer00cI8JBszzLYWOlpWX6dWEamG4cTdud 6V/202vWLoAMQMKd8uW279cRef+Y=
X-Google-Smtp-Source: AGHT+IEOXtKCOvXY+MTsLFzuT7gHAIXfX3k4hEy58zoojPd9DMafZZy3Pd+40pXJg0cIfmqYr2X5jwbqUzQqpmJewck=
X-Received: by 2002:a50:d789:0:b0:56b:d1c2:9b42 with SMTP id w9-20020a50d789000000b0056bd1c29b42mr1746501edi.29.1711526391512; Wed, 27 Mar 2024 00:59:51 -0700 (PDT)
MIME-Version: 1.0
References: <8C305FF1-41E2-4E60-94CF-B15A5EEBFC03@cooperw.in> <CAKoiRuYse46M5TiCoCgMhuW=MZrAmfJf0KUkZGX20PJVUmM66Q@mail.gmail.com> <CANd9WG55weUzkDA5MjKxS8cEg=dAaqVOyEsVxEO7p0wA7J7yNw@mail.gmail.com> <CAMRcRGT_hqdO_AEg4oHgmN_sFrpQoPyxuU20Snt1S1Y5ym0qHA@mail.gmail.com> <CAJTd26JOvqpuakznGK5dqUEX2wW1FhvS==Zk+oZKvWgtq+cPFg@mail.gmail.com> <CAL02cgTd=5GCcLpKqB5=XgFq-geUuFrFW-2Cu84F7=3QLdTdLA@mail.gmail.com> <54e875bb-6a35-4879-b7f7-2a33da96b4b4@cs.tcd.ie> <CAKoiRubSCrRrAxDDmpLC8xUdzk3eNUOxBSz0ra6vi_qf95Jvcg@mail.gmail.com> <CAJTd26+pSCwjbQLAQyjMG73tDMPSwFTVt-ZaSOvDtokNXxZazw@mail.gmail.com> <CAKoiRuZ73o7aK8aX8WTArHujy_6EYaGoQqnWfzO_a1-ihrb0rw@mail.gmail.com> <CAJTd26+sZEAvMxk8uS2RJMk+ffFdCAYdgFnYq9Y7t9rJC2cuyA@mail.gmail.com> <CAKoiRubheSkkSHX8Of+j_Tc7CigTpxkKDXT0VVXG7HMru8qW+Q@mail.gmail.com> <CAJTd26KEVoHx1kv=UL_sxDaDOwLuy+-f_8qruJHrZ9enLNfq=A@mail.gmail.com> <CAKoiRub8b3VkBu7E_o9v8V5zBP2Ww7Y=fixxfb6kRO-+AEMpZg@mail.gmail.com> <CAJTd26+VA3-4+yt6oTMrmkwx_GYFA+XEBXwJ11eA3e9qgoUAxg@mail.gmail.com>
In-Reply-To: <CAJTd26+VA3-4+yt6oTMrmkwx_GYFA+XEBXwJ11eA3e9qgoUAxg@mail.gmail.com>
From: Jon Crowcroft <jon.crowcroft@cl.cam.ac.uk>
Date: Wed, 27 Mar 2024 07:59:39 +0000
Message-ID: <CAEeTejJ4DYj6efxCoE8szXh1rBQf2CMOwem4PqyBNFEyBZJUCQ@mail.gmail.com>
To: Brendan McMillion <brendanmcmillion@gmail.com>
Cc: Rohan Mahy <rohan.mahy@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Richard Barnes <rlb@ipv.sx>, Suhas Nandakumar <suhasietf@gmail.com>, Travis Ralston <travisr=40matrix.org@dmarc.ietf.org>, Alissa Cooper <alissa@cooperw.in>, mimi@ietf.org
Content-Type: multipart/alternative; boundary="000000000000970c4a06149fcad0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mimi/MSYgDFERP8kA4VVxH41APsrlOX8>
Subject: Re: [Mimi] Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol
X-BeenThere: mimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: More Instant Messaging Interoperability <mimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mimi>, <mailto:mimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mimi/>
List-Post: <mailto:mimi@ietf.org>
List-Help: <mailto:mimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mimi>, <mailto:mimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 07:59:57 -0000
this sounds very cool....was just reminding myself of what guarantees http makes (since yr dependent on it) and this article was a quick catchup (for anyone else not paying enough attention like myself:-) https://blog.cloudflare.com/stronger-than-a-promise-proving-oblivious-http-privacy-properties cheers jon On Wed, Mar 27, 2024 at 7:51 AM Brendan McMillion < brendanmcmillion@gmail.com> wrote: > To be clear, under this approach the LSP knows Alice wants to talk to Bob, >> and the RSP might know or require that it knows. It sounds like the salient >> difference is that the *hub* does not know Alice wants to talk to Bob. >> > > The LSP should only be able to see "Alice wants to talk to one of > RSP's users" because of the masking provided by OHTTP. The privacy property > I generally want is that no service provider should need visibility into > another provider's users > > Maybe I need to step back a bit. You said the hub is responsible for >> message ordering. If the hub gets a series of commits moving to epoch 13, >> then to epoch 14, then to 13, then to 15, then to 14, does the hub send >> these in the order it received them, or does it assume a particular epoch >> is current until told otherwise? > > > Note that the partition key changes each epoch. A user starting at epoch > 13 would process the commit at epoch 13, compute the new partition key, > then share that with its LSP. The LSP would get the commit for epoch 14 > with the same partition key, the user would process it, compute the new > partition key, share that with its LSP. And so on. This is how users would > navigate forks in the group state. It requires one roundtrip per epoch, but > the server could always do an http/2 push if it's confident what the next > request will be. > > If there are several commits in the same epoch, that's obviously easier. > The hub just provides them in the order received and the first valid one is > the winner. > > Is there no authentication required by the hub then? It sounds like the >> only DoS prevention from a compromised but previously honest LSP is rate >> limiting. > > > Yes, such a service provider could push junk data to the hub. Assuming > none of the service provider's users are members of the group anymore, then > none of the spam would be seen by group members, as the correct partition > key wouldn't be known. You would trigger the abuse mitigation, as you would > be sending a bunch of data to partition keys that nobody seems to be > reading. > > On Tue, Mar 26, 2024 at 10:12 PM Rohan Mahy <rohan.mahy@gmail.com> wrote: > >> Thanks, this helped. Three more comments inline. >> >> In the current draft, KeyPackage requests contain both the requesting >>> user's and the target user's identity, and the request is proxied plaintext >>> through several providers. Everyone in the system can see "Alice wants to >>> talk to Bob." By making KeyPackage requests over OHTTP, only the RSP can >>> see "Someone wants to talk to Bob." The RSP might assign bearer tokens so >>> that it knows "Someone" is "Alice", but it also could not. The point is the >>> RSP has control over the anonymity set, and can define it in a way that >>> protects privacy + works with their abuse mitigation. >> >> To be clear, under this approach the LSP knows Alice wants to talk to >> Bob, and the RSP might know or require that it knows. It sounds like the >> salient difference is that the *hub* does not know Alice wants to talk >> to Bob. >> >> - What happens if a hub forwards an invalid/unacceptable commit (not >>> related to an unwanted Welcome) and all the other clients are offline? How >>> does "rollback" work? (Note the current proposal will also need to address >>> a subset of this same problem) >>> >> When honest clients come online, they will ignore the invalid commit. The >>> user that sent the invalid commit will either a.) keep sending messages to >>> the old epoch, or b.) start sending messages to a new epoch with a new >>> partition key. Because the honest clients ignored the commit, they will >>> never see/request the messages that went to the new partition key. >>> Repeatedly messaging an epoch after sending a Commit, or sending messages >>> to a partition key that nobody ever reads, should signal abuse to the >>> service provider. >> >> Maybe I need to step back a bit. You said the hub is responsible for >> message ordering. If the hub gets a series of commits moving to epoch 13, >> then to epoch 14, then to 13, then to 15, then to 14, does the hub send >> these in the order it received them, or does it assume a particular epoch >> is current until told otherwise? >> >> A hub will accept group messages from any RSP that knows the group ID. >> >> >> Is there no authentication required by the hub then? It sounds like the >> only DoS prevention from a compromised but previously honest LSP is rate >> limiting. >> >> Cheers, >> -rohan >> >> >> On Tue, Mar 26, 2024 at 6:58 PM Brendan McMillion < >> brendanmcmillion@gmail.com> wrote: >> >>> Responses inline, >>> >>> On Tue, Mar 26, 2024 at 1:32 PM Rohan Mahy <rohan.mahy@gmail.com> wrote: >>> >>>> Hi Brendan, >>>> Thanks very much for sharing this. This is generally the right level of >>>> detail and helps a lot for understanding where you are coming from. >>>> >>>> A few questions and reactions: >>>> - Could you please elaborate on the construction of the bearer tokens? >>>> If not done correctly, this can easily leak as much metadata as the design >>>> team proposal. >>>> >>> >>> In the current draft, KeyPackage requests contain both the requesting >>> user's and the target user's identity, and the request is proxied plaintext >>> through several providers. Everyone in the system can see "Alice wants to >>> talk to Bob." By making KeyPackage requests over OHTTP, only the RSP can >>> see "Someone wants to talk to Bob." The RSP might assign bearer tokens so >>> that it knows "Someone" is "Alice", but it also could not. The point is the >>> RSP has control over the anonymity set, and can define it in a way that >>> protects privacy + works with their abuse mitigation. >>> >>> The idea of authing with a bearer token that corresponds to an anonymity >>> set is a core part of how Sealed Sender works. Allowing users to /verify/ >>> that they're in an anonymity set isn't required >>> >>> >>>> - How does the hub know when to stop sending messages to an RSP? >>>> >>> >>> If an RSP doesn't have any users that are asking for the messages for a >>> group, the RSP will simply stop pulling messages / revoke consent for push >>> requests. This is independent of the MLS state. >>> >>> >>>> - What happens if a hub forwards an invalid/unacceptable commit (not >>>> related to an unwanted Welcome) and all the other clients are offline? How >>>> does "rollback" work? (Note the current proposal will also need to address >>>> a subset of this same problem) >>>> >>> >>> When honest clients come online, they will ignore the invalid commit. >>> The user that sent the invalid commit will either a.) keep sending messages >>> to the old epoch, or b.) start sending messages to a new epoch with a new >>> partition key. Because the honest clients ignored the commit, they will >>> never see/request the messages that went to the new partition key. >>> Repeatedly messaging an epoch after sending a Commit, or sending messages >>> to a partition key that nobody ever reads, should signal abuse to the >>> service provider. >>> >>> >>>> - Are partition keys shared with any of the providers? If so, how do >>>> they use them? If not, what benefit do they provide? >>>> >>> >>> Users share a (group id, epoch, partition key) triplet with their LSP; >>> the LSP sends/requests messages from the hub based on this triplet. The >>> flow is unidirectional -- users only ever provide partition keys to their >>> LSP, the LSP only ever provides them to the hub. The hub uses the provided >>> partition key to gate which messages it provides back to the LSP, and the >>> LSP uses the partition key to gate which messages it provides back to the >>> user. >>> >>> >>>> - In the self Remove case, an external commit can ignore the proposal, >>>> leaving the client in the MLS group, unless it a) uses SelfRemove, b) >>>> continues to monitor the group for a Commit showing its removal, or c) uses >>>> an extension to insist that external commits include queued proposals. >>>> >>> >>> Yes, these are all valid approaches imo. You would just need an >>> extension point to make (a) or (c) implementable >>> >>> >>>> - Do you envision that handshakes on the hub are always either always >>>> private or always public for a single MLS group/MIMI room, or could they be >>>> a mix? >>>> >>> >>> My initial idea is that maybe clients could negotiate public/private >>> based on preferences expressed in a LeafNode extension. But the protocol >>> between service providers is neutral to this -- an unencrypted Commit + >>> GroupInfo is shuffled around the same as an encrypted Commit. Maybe you >>> would have some special compression for transmitting the ratchet tree >>> >>> >>>> >>>> Thanks, >>>> -rohan >>>> >>>> >>>> >>>> On Tue, Mar 26, 2024 at 12:14 PM Brendan McMillion < >>>> brendanmcmillion@gmail.com> wrote: >>>> >>>>> Hi Rohan >>>>> >>>>> Sure, here's a general approach that I think would meet mimi's goals >>>>> better: >>>>> https://gist.github.com/Bren2010/d009ba8d702ae3428b31981295455f02 >>>>> >>>>> It's hard for me to see how the pseudonyms approach could possibly be >>>>> fruitful. If the reason for requiring PublicMessage is performance (i.e. >>>>> having clients upload a linear amount of encrypted data is too expensive >>>>> for them), how could a pseudonym scheme possibly authenticate a linear >>>>> number of members with sublinear data? Say that it is possible -- why >>>>> couldn't this same encryption scheme just be applied directly to the >>>>> ratchet tree, instead of adding a layer of indirection that risks voiding >>>>> the security of all of MLS? >>>>> >>>>> If the reason for requiring PublicMessage is to support policy >>>>> enforcement, then obviously we don't trust clients to do this themselves. >>>>> But if we don't trust clients, the approach of inspecting handshake >>>>> messages and trying to actively track the group state actually makes the >>>>> protocol more brittle and vulnerable to abuse. The hub server can't verify >>>>> group state, so a single malformed message can brick the group in >>>>> innumerable different ways and there's nothing that can be done to recover. >>>>> If the hub server was out of the way, instead of enforcing it's own idea of >>>>> who's in the group and which epoch is most recent, honest clients can >>>>> recover from malicious behavior in a straightforward way. >>>>> >>>>> >>>>> On Sun, Mar 24, 2024 at 3:11 PM Rohan Mahy <rohan.mahy@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi Brendan, >>>>>> >>>>>> You characterized the state of the current draft as "freely" sharing >>>>>> a lot of metadata with all the providers. I'd like to examine that a bit >>>>>> more. >>>>>> >>>>>> Assuming each client follows the recommendation in the draft to use a >>>>>> unique pseudonym per group (this implies only joining via join/invitation >>>>>> links or knocks), the non-local providers know the following: >>>>>> - the authorization policy of the group (broadly), >>>>>> - how many MLS clients from each provider are in each group, >>>>>> - how often each client sends messages, >>>>>> - the authorization role(s) assigned to their anonymized users, and >>>>>> - (if they reveal it) if there are multiple devices under the same >>>>>> pseudonym. >>>>>> >>>>>> While a user's local provider (which the user has chosen) is sort of >>>>>> outside of the scope of MIMI, when it is a hub provider it will at least >>>>>> need to disclose machine-readable privacy information for each of its >>>>>> rooms. Each client gets to examine the room policy before they join and >>>>>> before they accept any change to that policy. This is already way better >>>>>> than the status quo. The metadata privacy extensions that Konrad and >>>>>> Raphael are working on further improve the privacy situation. >>>>>> >>>>>> If you think this is setting the privacy bar too low, I think it >>>>>> would be reasonable to provide an outline of how you think MIMI could >>>>>> provide similar functionality with even less metadata. IMO this doesn't >>>>>> need to be an I-D, but at least a page-long email with bullet points. >>>>>> >>>>>> Thanks, >>>>>> -rohan >>>>>> >>>>>> On Sat, Mar 23, 2024 at 3:45 PM Brendan McMillion < >>>>>> brendanmcmillion@gmail.com> wrote: >>>>>> >>>>>>> Providing the same privacy properties as Signal is incredibly >>>>>>> difficult. Nobody is asking mimi to do that. However, the mimi protocol >>>>>>> could be a neutral way for service providers to synchronize messages >>>>>>> related to a given group. Whether a service provider chooses to receive >>>>>>> messages in some exceptionally private way or not, would be the service >>>>>>> provider's choice. But instead the drafts require duplicating state between >>>>>>> the encryption layer and mimi layer, and this presupposes a certain >>>>>>> inescapable amount of metadata leakage. >>>>>>> >>>>>>> On Sun, Mar 24, 2024 at 1:49 AM Rohan Mahy <rohan.mahy@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sat, Mar 23, 2024, 02:38 Stephen Farrell < >>>>>>>> stephen.farrell@cs.tcd.ie> wrote: >>>>>>>> >>>>>>>>> Sounds like a classic loss for privacy. >>>>>>>>> >>>>>>>> >>>>>>>> I argue it is the opposite. Today if you want to join a group chat >>>>>>>> on any system other than Signal, the participants surrender much more >>>>>>>> metadata than would be revealed to other providers under the proposed MIMI >>>>>>>> approach with pseudonyms. In addition, the low metadata approaches (using >>>>>>>> techniques such as privacy pass) that Konrad and Raphael are nurturing >>>>>>>> offer substantial improvements to privacy. >>>>>>>> If we publish a specification that requires all providers to >>>>>>>> provide at least Signal-level metadata privacy, it is likely that we will >>>>>>>> end up with neither interoperability nor privacy for the vast majority of >>>>>>>> users. >>>>>>>> Thanks, >>>>>>>> -rohan >>>>>>>> >>>>>>>> -- > Mimi mailing list > Mimi@ietf.org > https://www.ietf.org/mailman/listinfo/mimi >
- [Mimi] Confirming adoption calls for draft-barnes… Alissa Cooper
- Re: [Mimi] Confirming adoption calls for draft-ba… Richard Barnes
- Re: [Mimi] Confirming adoption calls for draft-ba… Travis Ralston
- Re: [Mimi] Confirming adoption calls for draft-ba… Suhas Nandakumar
- Re: [Mimi] Confirming adoption calls for draft-ba… Eric Rescorla
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- Re: [Mimi] Confirming adoption calls for draft-ba… Brendan McMillion
- Re: [Mimi] Confirming adoption calls for draft-ba… Richard Barnes
- Re: [Mimi] Confirming adoption calls for draft-ba… Konrad Kohbrok
- Re: [Mimi] Confirming adoption calls for draft-ba… Stephen Farrell
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- Re: [Mimi] Confirming adoption calls for draft-ba… Brendan McMillion
- Re: [Mimi] Confirming adoption calls for draft-ba… Raphael Robert
- Re: [Mimi] Confirming adoption calls for draft-ba… Hale, Britta (CIV)
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- Re: [Mimi] Confirming adoption calls for draft-ba… Vittorio Bertola
- Re: [Mimi] Confirming adoption calls for draft-ba… Brendan McMillion
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- Re: [Mimi] Confirming adoption calls for draft-ba… Brendan McMillion
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- Re: [Mimi] Confirming adoption calls for draft-ba… Brendan McMillion
- Re: [Mimi] Confirming adoption calls for draft-ba… Jon Crowcroft
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- [Mimi] Brendan's Partition Keys (was Re: Confirmi… Rohan Mahy
- Re: [Mimi] Brendan's Partition Keys (was Re: Conf… Rohan Mahy
- Re: [Mimi] Brendan's Partition Keys (was Re: Conf… Brendan McMillion
- Re: [Mimi] Confirming adoption calls for draft-ba… Alissa Cooper
- Re: [Mimi] Confirming adoption calls for draft-ba… Tim Geoghegan