IETF Logo Mail Archive

Re: [Mimi] Brendan's Partition Keys (was Re: Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol)

Brendan McMillion <brendanmcmillion@gmail.com> Fri, 29 March 2024 07:56 UTC

Return-Path: <brendanmcmillion@gmail.com>
X-Original-To: mimi@ietfa.amsl.com
Delivered-To: mimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B58C0C151545 for <mimi@ietfa.amsl.com>; Fri, 29 Mar 2024 00:56:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ncuOOBuEWW6 for <mimi@ietfa.amsl.com>; Fri, 29 Mar 2024 00:56:13 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAED4C14CE3B for <mimi@ietf.org>; Fri, 29 Mar 2024 00:56:13 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id a1e0cc1a2514c-7dfacd39b9eso1631867241.1 for <mimi@ietf.org>; Fri, 29 Mar 2024 00:56:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711698972; x=1712303772; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DVRFkvJNyqeRXsm7cKHamQLbswmX3H7/Vxw7IheiaKI=; b=QjdYy/6oAvIekFIU7mcO82YuN4lz/c0XAD0ZM0G/pjYlqYcvnZKD7WmRfnNLYGCd94 Adx/olQVdm/qCuZfgkWtToM4894GbSIM51oaHsgD1Vv49qehXU6tLEZcLn8r0vfcWJiz YEQqYHrny0ERLEeBmmORe/EQVEiyCrBKA0FHtM7rApuuUQvDPGJLtKvqQbPTs5PQFTIk E2DbKN7ONuKGjlXfvU2/cgGruKA9ZycUtpiNjU7+TGKlzQPhKez5UYC3AArjSmK7Z0lO 3tyLaaI9KYMIrl6PwwIzeDJClHFDnEv8eWfzXEJgf+SXqh9AYlh/r6KC2mSIIZkdTzbB 5u+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711698972; x=1712303772; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DVRFkvJNyqeRXsm7cKHamQLbswmX3H7/Vxw7IheiaKI=; b=fsiqAaz8JNbfjmDJ9s09xT1ORXEyTUP8+mK5YKoJ+UOcTnYa6H0tmY0KNwN+4ZU5l+ yUcPhd3zU5cg0IQU+ps4RTzVzWkjBNd7zBY8cKL5c2kHf3ZlvnxiXUkJpysxVmp4Oij8 okrSq8pJBO8dX5fqk8ywIlKdnIPnPtz+Ys9pyQU0iRyxzNhyHSQxIsHmGz3sXI/yREAD zTM8SFLuUT5aL8MtWOKSPziIWKvkET72E+eFu1zKStSm5UaVzmfuVXh5TOQ1gGeOMHxb a2DXDCMLBBNpA35eEZT8V2uQ0E18CWJRSN9LBxIHDqDEzUGiof4OsVpVZ7fnjD6mcgzp MpbA==
X-Gm-Message-State: AOJu0YxHNQ9GVP0SQ9MW9jb6wifw4tEUFKFkMHoD3Z2ZZxpz4PFJSvBP 6L1jhdAOX/9PNXL/wB7YYxTPE0cszRoJfGaleJUEYByHDA65iWUgjSUha/SjjqUQb4ycJz8fL+i Ic7P9/Ti+zP8JtoostxVVUryKiYaBn1lMJV4=
X-Google-Smtp-Source: AGHT+IEzump1IBkTX0I2Di2wSSTCymON9ZhxSrHMv83f4t7e+S1CtJrSAehatXGt9AGqd4t8gyVjF+iv25lpT9phYd4=
X-Received: by 2002:a67:ee04:0:b0:478:4527:c898 with SMTP id f4-20020a67ee04000000b004784527c898mr3151994vsp.0.1711698972389; Fri, 29 Mar 2024 00:56:12 -0700 (PDT)
MIME-Version: 1.0
References: <8C305FF1-41E2-4E60-94CF-B15A5EEBFC03@cooperw.in> <CAKoiRuYse46M5TiCoCgMhuW=MZrAmfJf0KUkZGX20PJVUmM66Q@mail.gmail.com> <CANd9WG55weUzkDA5MjKxS8cEg=dAaqVOyEsVxEO7p0wA7J7yNw@mail.gmail.com> <CAMRcRGT_hqdO_AEg4oHgmN_sFrpQoPyxuU20Snt1S1Y5ym0qHA@mail.gmail.com> <CAJTd26JOvqpuakznGK5dqUEX2wW1FhvS==Zk+oZKvWgtq+cPFg@mail.gmail.com> <CAL02cgTd=5GCcLpKqB5=XgFq-geUuFrFW-2Cu84F7=3QLdTdLA@mail.gmail.com> <54e875bb-6a35-4879-b7f7-2a33da96b4b4@cs.tcd.ie> <CAKoiRubSCrRrAxDDmpLC8xUdzk3eNUOxBSz0ra6vi_qf95Jvcg@mail.gmail.com> <CAJTd26+pSCwjbQLAQyjMG73tDMPSwFTVt-ZaSOvDtokNXxZazw@mail.gmail.com> <CAKoiRuZ73o7aK8aX8WTArHujy_6EYaGoQqnWfzO_a1-ihrb0rw@mail.gmail.com> <CAJTd26+sZEAvMxk8uS2RJMk+ffFdCAYdgFnYq9Y7t9rJC2cuyA@mail.gmail.com> <CAKoiRuY72u2UT4ThToYFZY6QHa2UgpxH-iXZiKP1pPd4AANt3w@mail.gmail.com> <CAKoiRuZEAkM4vq66V02Jh7-=8-yc0ayUcH0pQfZPOaBH032z4A@mail.gmail.com>
In-Reply-To: <CAKoiRuZEAkM4vq66V02Jh7-=8-yc0ayUcH0pQfZPOaBH032z4A@mail.gmail.com>
From: Brendan McMillion <brendanmcmillion@gmail.com>
Date: Fri, 29 Mar 2024 00:56:01 -0700
Message-ID: <CAJTd26+ALK4uUG+J=0bhVrUb8pi7DK0HT8gNDOdBiTu34NzA1g@mail.gmail.com>
To: Rohan Mahy <rohan.mahy@gmail.com>
Cc: mimi@ietf.org
Content-Type: multipart/alternative; boundary="000000000000363afe0614c7f9a7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mimi/Oj9GthdRu0znJE4Kd6dOgNQygjs>
Subject: Re: [Mimi] Brendan's Partition Keys (was Re: Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol)
X-BeenThere: mimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: More Instant Messaging Interoperability <mimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mimi>, <mailto:mimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mimi/>
List-Post: <mailto:mimi@ietf.org>
List-Help: <mailto:mimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mimi>, <mailto:mimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2024 07:56:14 -0000

That's a great point! In terms of abuse mitigation, the value of the
partition key is that it prevents unwanted writes to the /most recent/
epoch. You can still try to write junk to previous epochs where you were in
the group and you knew the partition key. If clients have been offline in
the intervening time, they might still need to process the epochs that
you're filling with junk. But /past/ epochs end with a Commit, and honest
clients can stop reading once they get to the Commit.

So the guidance then would be that pushing a non-leaf epoch, either
hub->RSP or RSP->user, is always fine. (Remembering that without the hub
enforcing a linear sequence of epochs, you have a digraph of epochs
instead, so maybe multiple leafs.) Pushing leaf epochs from hub->RSP risks
opening yourself up to spam from a malicious provider, but maybe that's not
a realistic danger


On Thu, Mar 28, 2024 at 11:21 PM Rohan Mahy <rohan.mahy@gmail.com> wrote:

> Sorry, I typed "privacy keys" instead of "partition keys" in a few places
> in my message.
>
> Brendan's gist uses partition keys between the RSP and the hub. I think
> this is a bad idea because of the extra rountrips needed when an offline
> client comes back online and the potential privacy leakage. That doesn't
> mean it wouldn't be potentially useful between the RSP and its client, or
> as an internal filtering mechanism among messages on the client.
> Thanks,
> -rohan
>
>
>
> On Thu, Mar 28, 2024, 22:14 Rohan Mahy <rohan.mahy@gmail.com> wrote:
>
>> Hi Brendan,
>> I realized that the privacy keys in your gist have some negative
>> implications for offline use and also leak private timing information.
>>
>> A partition key is a short secret exported from the MLS key schedule.
>>> Whenever users send or receive group messages, they provide the partition
>>> key for the current epoch. Messages sent with a given partition key are
>>> only provided to users who request to receive messages with the same
>>> partition key. (Exceptions may be selectively made for external commits /
>>> proposals, given that the sender isn't in the group yet.)
>>
>>
>> So if a user is offline and was "subscribed" to the privacy key for group
>> "clubhouse" in epoch 13, its RSP will receive app messages in that group
>> and the Commit that moves it to epoch 14, however the RSP won't request
>> anything for subsequent epochs while its client is offline. The hub has to
>> keep messages as long as the longest period that an individual client on
>> any of the providers can be offline. It also means a client will need
>> several round trips to subscribe for messages as a busy group transitions
>> from epoch to epoch. This is not great for the user experience, especially
>> if the client is on a high-latency connection.
>>
>> If the RSP has relatively few users, this also leaks a lot of timing
>> information about when clients of the RSP are online and offline.
>>
>> Thanks,
>> -rohan
>>
>> On Tue, Mar 26, 2024 at 12:14 PM Brendan McMillion <
>> brendanmcmillion@gmail.com> wrote:
>>
>>> Hi Rohan
>>>
>>> Sure, here's a general approach that I think would meet mimi's goals
>>> better:
>>> https://gist.github.com/Bren2010/d009ba8d702ae3428b31981295455f02
>>>
>>> It's hard for me to see how the pseudonyms approach could possibly be
>>> fruitful. If the reason for requiring PublicMessage is performance (i.e.
>>> having clients upload a linear amount of encrypted data is too expensive
>>> for them), how could a pseudonym scheme possibly authenticate a linear
>>> number of members with sublinear data? Say that it is possible -- why
>>> couldn't this same encryption scheme just be applied directly to the
>>> ratchet tree, instead of adding a layer of indirection that risks voiding
>>> the security of all of MLS?
>>>
>>> If the reason for requiring PublicMessage is to support policy
>>> enforcement, then obviously we don't trust clients to do this themselves.
>>> But if we don't trust clients, the approach of inspecting handshake
>>> messages and trying to actively track the group state actually makes the
>>> protocol more brittle and vulnerable to abuse. The hub server can't verify
>>> group state, so a single malformed message can brick the group in
>>> innumerable different ways and there's nothing that can be done to recover.
>>> If the hub server was out of the way, instead of enforcing it's own idea of
>>> who's in the group and which epoch is most recent, honest clients can
>>> recover from malicious behavior in a straightforward way.
>>>
>>>
>>> On Sun, Mar 24, 2024 at 3:11 PM Rohan Mahy <rohan.mahy@gmail.com> wrote:
>>>
>>>> Hi Brendan,
>>>>
>>>> You characterized the state of the current draft as "freely" sharing a
>>>> lot of metadata with all the providers. I'd like to examine that a bit more.
>>>>
>>>> Assuming each client follows the recommendation in the draft to use a
>>>> unique pseudonym per group (this implies only joining via join/invitation
>>>> links or knocks), the non-local providers know the following:
>>>> - the authorization policy of the group (broadly),
>>>> - how many MLS clients from each provider are in each group,
>>>> - how often each client sends messages,
>>>> - the authorization role(s) assigned to their anonymized users, and
>>>> - (if they reveal it) if there are multiple devices under the same
>>>> pseudonym.
>>>>
>>>> While a user's local provider (which the user has chosen) is sort of
>>>> outside of the scope of MIMI, when it is a hub provider it will at least
>>>> need to disclose machine-readable privacy information for each of its
>>>> rooms. Each client gets to examine the room policy before they join and
>>>> before they accept any change to that policy. This is already way better
>>>> than the status quo. The metadata privacy extensions that Konrad and
>>>> Raphael are working on further improve the privacy situation.
>>>>
>>>> If you think this is setting the privacy bar too low, I think it would
>>>> be reasonable to provide an outline of how you think MIMI could provide
>>>> similar functionality with even less metadata. IMO this doesn't need to be
>>>> an I-D, but at least a page-long email with bullet points.
>>>>
>>>> Thanks,
>>>> -rohan
>>>>
>>>> On Sat, Mar 23, 2024 at 3:45 PM Brendan McMillion <
>>>> brendanmcmillion@gmail.com> wrote:
>>>>
>>>>> Providing the same privacy properties as Signal is incredibly
>>>>> difficult. Nobody is asking mimi to do that. However, the mimi protocol
>>>>> could be a neutral way for service providers to synchronize messages
>>>>> related to a given group. Whether a service provider chooses to receive
>>>>> messages in some exceptionally private way or not, would be the service
>>>>> provider's choice. But instead the drafts require duplicating state between
>>>>> the encryption layer and mimi layer, and this presupposes a certain
>>>>> inescapable amount of metadata leakage.
>>>>>
>>>>> On Sun, Mar 24, 2024 at 1:49 AM Rohan Mahy <rohan.mahy@gmail.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Sat, Mar 23, 2024, 02:38 Stephen Farrell <
>>>>>> stephen.farrell@cs.tcd.ie> wrote:
>>>>>>
>>>>>>> Sounds like a classic loss for privacy.
>>>>>>>
>>>>>>
>>>>>> I argue it is the opposite. Today if you want to join a group chat on
>>>>>> any system other than Signal, the participants surrender much more metadata
>>>>>> than would be revealed to other providers under the proposed MIMI approach
>>>>>> with pseudonyms. In addition, the low metadata approaches (using techniques
>>>>>> such as privacy pass) that Konrad and Raphael are nurturing offer
>>>>>> substantial improvements to privacy.
>>>>>> If we publish a specification that requires all providers to provide
>>>>>> at least Signal-level metadata privacy, it is likely that we will end up
>>>>>> with neither interoperability nor privacy for the vast majority of users.
>>>>>> Thanks,
>>>>>> -rohan
>>>>>>
>>>>>> --
>> Mimi mailing list
>> Mimi@ietf.org
>> https://www.ietf.org/mailman/listinfo/mimi
>>
>

v2.23.0 | Report a Bug | By Email