Re: [Mimi] Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol
Rohan Mahy <rohan.mahy@gmail.com> Tue, 26 March 2024 20:32 UTC
Return-Path: <rohan.mahy@gmail.com>
X-Original-To: mimi@ietfa.amsl.com
Delivered-To: mimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 842A7C14F6AA for <mimi@ietfa.amsl.com>; Tue, 26 Mar 2024 13:32:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MinfOve5U6ON for <mimi@ietfa.amsl.com>; Tue, 26 Mar 2024 13:32:17 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 446B3C14F61D for <mimi@ietf.org>; Tue, 26 Mar 2024 13:32:17 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-515b69e8f38so1324532e87.1 for <mimi@ietf.org>; Tue, 26 Mar 2024 13:32:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711485135; x=1712089935; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/aw5veFzhrgCiYrVSO3TH8i/aaFfzbxb/6VR6HKAkRo=; b=W3f0kNuwmZcplGURBVF7b10eqVKeH+Vtu5Sj+wSiaHaMQ0s5BR9AK3DqSFM+hrLQkl mtfIan/5czUwXQmeiRzw6z5DMBRgYkOz34Qk8tV1P1q2mD6TBFaKya6v4ihnsJjWpiok ONieTXoWzzrqeHCzT6j834CmDrYoIn3IxLHVpgtvHHFbpdz67ugFNK5/Ag2CVhqN3u9f v2DsxVQkOIZavh0Cky6jNE5T29M/tcoeVB0PbBykChC0YTpNVMqCfouurxbP4U97/LjT k2jVyxhV6o4VSKXgIRPwaFJ9msGMVla8c9ZbCYKZe4b6zDdTeuDbec9nk1ZeiMTtPcGQ BN0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711485135; x=1712089935; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/aw5veFzhrgCiYrVSO3TH8i/aaFfzbxb/6VR6HKAkRo=; b=CNS9Y1nC7MvaACR/Bhn8qg6FkjhIWHKgYrTgB4xNISoR5na0pjObQ0DcWDE+28G6iR 542Qqygp6HTw8YWu37Os42A++1X+qoLaX0xgMHhusk8fXjiSeCeDA0OQKpLRf+0D+nNa l0Bg2UaNHjZHGtxp/5fnOTiAqq0Ogzf2IQUyL0VYA/cOHYoBwSy5iW9h4mCsTuNVMimX bo4cHRpGbFAaKkioMhWIrWCnwpVSqt7mmixKlqesWGr3yZwTC5YZydGXp3zJmr8DyEZ0 3UnvHxQSZxmGXqt4YHbvoKEBCLmMsSAa+9b2BpInrUj715yzGs1VP6nqfWxNlo28JRHY GMgA==
X-Forwarded-Encrypted: i=1; AJvYcCW1qVXxxIdlqzfpCBEAgKENvEUjFXxA56EVGQScjh2E2g2wC7ij0lGtu9hY+Jj83RmpGWeX+ZYgvOyFSSS8
X-Gm-Message-State: AOJu0YxpSpDlUjLdG2GvpbUZZYmN80zDdZ6zLMtx7fiPtuJl6Uy9VyWy Q0a2Wq17hRh5k7wlSzVjx+Up1/nJm2J2lKL4i+9KAXt8F2eUFDUnToR19gF4m+zEkCpChVEguVq sZau6vyjHT/OIZenJnNKTh/OzKuE=
X-Google-Smtp-Source: AGHT+IE6NGO1LQwfeBJzelVi1BoegLahrhthv3uts/FulsJAw8EHHGVUMy0riS7nmUdrDXtZUG86gTVaOTYH7e5TxUU=
X-Received: by 2002:a05:6512:3e06:b0:515:b67c:d72c with SMTP id i6-20020a0565123e0600b00515b67cd72cmr2914386lfv.26.1711485134546; Tue, 26 Mar 2024 13:32:14 -0700 (PDT)
MIME-Version: 1.0
References: <8C305FF1-41E2-4E60-94CF-B15A5EEBFC03@cooperw.in> <CAKoiRuYse46M5TiCoCgMhuW=MZrAmfJf0KUkZGX20PJVUmM66Q@mail.gmail.com> <CANd9WG55weUzkDA5MjKxS8cEg=dAaqVOyEsVxEO7p0wA7J7yNw@mail.gmail.com> <CAMRcRGT_hqdO_AEg4oHgmN_sFrpQoPyxuU20Snt1S1Y5ym0qHA@mail.gmail.com> <CAJTd26JOvqpuakznGK5dqUEX2wW1FhvS==Zk+oZKvWgtq+cPFg@mail.gmail.com> <CAL02cgTd=5GCcLpKqB5=XgFq-geUuFrFW-2Cu84F7=3QLdTdLA@mail.gmail.com> <54e875bb-6a35-4879-b7f7-2a33da96b4b4@cs.tcd.ie> <CAKoiRubSCrRrAxDDmpLC8xUdzk3eNUOxBSz0ra6vi_qf95Jvcg@mail.gmail.com> <CAJTd26+pSCwjbQLAQyjMG73tDMPSwFTVt-ZaSOvDtokNXxZazw@mail.gmail.com> <CAKoiRuZ73o7aK8aX8WTArHujy_6EYaGoQqnWfzO_a1-ihrb0rw@mail.gmail.com> <CAJTd26+sZEAvMxk8uS2RJMk+ffFdCAYdgFnYq9Y7t9rJC2cuyA@mail.gmail.com>
In-Reply-To: <CAJTd26+sZEAvMxk8uS2RJMk+ffFdCAYdgFnYq9Y7t9rJC2cuyA@mail.gmail.com>
From: Rohan Mahy <rohan.mahy@gmail.com>
Date: Tue, 26 Mar 2024 13:32:02 -0700
Message-ID: <CAKoiRubheSkkSHX8Of+j_Tc7CigTpxkKDXT0VVXG7HMru8qW+Q@mail.gmail.com>
To: Brendan McMillion <brendanmcmillion@gmail.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Richard Barnes <rlb@ipv.sx>, Suhas Nandakumar <suhasietf@gmail.com>, Travis Ralston <travisr=40matrix.org@dmarc.ietf.org>, Alissa Cooper <alissa@cooperw.in>, mimi@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007bb1f40614962f7e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mimi/TJZ100gL4aPTM0GgFxwaGaQEnr0>
Subject: Re: [Mimi] Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol
X-BeenThere: mimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: More Instant Messaging Interoperability <mimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mimi>, <mailto:mimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mimi/>
List-Post: <mailto:mimi@ietf.org>
List-Help: <mailto:mimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mimi>, <mailto:mimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2024 20:32:19 -0000
Hi Brendan, Thanks very much for sharing this. This is generally the right level of detail and helps a lot for understanding where you are coming from. A few questions and reactions: - Could you please elaborate on the construction of the bearer tokens? If not done correctly, this can easily leak as much metadata as the design team proposal. - How does the hub know when to stop sending messages to an RSP? - What happens if a hub forwards an invalid/unacceptable commit (not related to an unwanted Welcome) and all the other clients are offline? How does "rollback" work? (Note the current proposal will also need to address a subset of this same problem) - Are partition keys shared with any of the providers? If so, how do they use them? If not, what benefit do they provide? - In the self Remove case, an external commit can ignore the proposal, leaving the client in the MLS group, unless it a) uses SelfRemove, b) continues to monitor the group for a Commit showing its removal, or c) uses an extension to insist that external commits include queued proposals. - Do you envision that handshakes on the hub are always either always private or always public for a single MLS group/MIMI room, or could they be a mix? Thanks, -rohan On Tue, Mar 26, 2024 at 12:14 PM Brendan McMillion < brendanmcmillion@gmail.com> wrote: > Hi Rohan > > Sure, here's a general approach that I think would meet mimi's goals > better: https://gist.github.com/Bren2010/d009ba8d702ae3428b31981295455f02 > > It's hard for me to see how the pseudonyms approach could possibly be > fruitful. If the reason for requiring PublicMessage is performance (i.e. > having clients upload a linear amount of encrypted data is too expensive > for them), how could a pseudonym scheme possibly authenticate a linear > number of members with sublinear data? Say that it is possible -- why > couldn't this same encryption scheme just be applied directly to the > ratchet tree, instead of adding a layer of indirection that risks voiding > the security of all of MLS? > > If the reason for requiring PublicMessage is to support policy > enforcement, then obviously we don't trust clients to do this themselves. > But if we don't trust clients, the approach of inspecting handshake > messages and trying to actively track the group state actually makes the > protocol more brittle and vulnerable to abuse. The hub server can't verify > group state, so a single malformed message can brick the group in > innumerable different ways and there's nothing that can be done to recover. > If the hub server was out of the way, instead of enforcing it's own idea of > who's in the group and which epoch is most recent, honest clients can > recover from malicious behavior in a straightforward way. > > > On Sun, Mar 24, 2024 at 3:11 PM Rohan Mahy <rohan.mahy@gmail.com> wrote: > >> Hi Brendan, >> >> You characterized the state of the current draft as "freely" sharing a >> lot of metadata with all the providers. I'd like to examine that a bit more. >> >> Assuming each client follows the recommendation in the draft to use a >> unique pseudonym per group (this implies only joining via join/invitation >> links or knocks), the non-local providers know the following: >> - the authorization policy of the group (broadly), >> - how many MLS clients from each provider are in each group, >> - how often each client sends messages, >> - the authorization role(s) assigned to their anonymized users, and >> - (if they reveal it) if there are multiple devices under the same >> pseudonym. >> >> While a user's local provider (which the user has chosen) is sort of >> outside of the scope of MIMI, when it is a hub provider it will at least >> need to disclose machine-readable privacy information for each of its >> rooms. Each client gets to examine the room policy before they join and >> before they accept any change to that policy. This is already way better >> than the status quo. The metadata privacy extensions that Konrad and >> Raphael are working on further improve the privacy situation. >> >> If you think this is setting the privacy bar too low, I think it would be >> reasonable to provide an outline of how you think MIMI could provide >> similar functionality with even less metadata. IMO this doesn't need to be >> an I-D, but at least a page-long email with bullet points. >> >> Thanks, >> -rohan >> >> On Sat, Mar 23, 2024 at 3:45 PM Brendan McMillion < >> brendanmcmillion@gmail.com> wrote: >> >>> Providing the same privacy properties as Signal is incredibly difficult. >>> Nobody is asking mimi to do that. However, the mimi protocol could be a >>> neutral way for service providers to synchronize messages related to a >>> given group. Whether a service provider chooses to receive messages in some >>> exceptionally private way or not, would be the service provider's choice. >>> But instead the drafts require duplicating state between the encryption >>> layer and mimi layer, and this presupposes a certain inescapable amount of >>> metadata leakage. >>> >>> On Sun, Mar 24, 2024 at 1:49 AM Rohan Mahy <rohan.mahy@gmail.com> wrote: >>> >>>> >>>> >>>> On Sat, Mar 23, 2024, 02:38 Stephen Farrell <stephen.farrell@cs.tcd.ie> >>>> wrote: >>>> >>>>> Sounds like a classic loss for privacy. >>>>> >>>> >>>> I argue it is the opposite. Today if you want to join a group chat on >>>> any system other than Signal, the participants surrender much more metadata >>>> than would be revealed to other providers under the proposed MIMI approach >>>> with pseudonyms. In addition, the low metadata approaches (using techniques >>>> such as privacy pass) that Konrad and Raphael are nurturing offer >>>> substantial improvements to privacy. >>>> If we publish a specification that requires all providers to provide at >>>> least Signal-level metadata privacy, it is likely that we will end up with >>>> neither interoperability nor privacy for the vast majority of users. >>>> Thanks, >>>> -rohan >>>> >>>>
- [Mimi] Confirming adoption calls for draft-barnes… Alissa Cooper
- Re: [Mimi] Confirming adoption calls for draft-ba… Richard Barnes
- Re: [Mimi] Confirming adoption calls for draft-ba… Travis Ralston
- Re: [Mimi] Confirming adoption calls for draft-ba… Suhas Nandakumar
- Re: [Mimi] Confirming adoption calls for draft-ba… Eric Rescorla
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- Re: [Mimi] Confirming adoption calls for draft-ba… Brendan McMillion
- Re: [Mimi] Confirming adoption calls for draft-ba… Richard Barnes
- Re: [Mimi] Confirming adoption calls for draft-ba… Konrad Kohbrok
- Re: [Mimi] Confirming adoption calls for draft-ba… Stephen Farrell
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- Re: [Mimi] Confirming adoption calls for draft-ba… Brendan McMillion
- Re: [Mimi] Confirming adoption calls for draft-ba… Raphael Robert
- Re: [Mimi] Confirming adoption calls for draft-ba… Hale, Britta (CIV)
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- Re: [Mimi] Confirming adoption calls for draft-ba… Vittorio Bertola
- Re: [Mimi] Confirming adoption calls for draft-ba… Brendan McMillion
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- Re: [Mimi] Confirming adoption calls for draft-ba… Brendan McMillion
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- Re: [Mimi] Confirming adoption calls for draft-ba… Brendan McMillion
- Re: [Mimi] Confirming adoption calls for draft-ba… Jon Crowcroft
- Re: [Mimi] Confirming adoption calls for draft-ba… Rohan Mahy
- [Mimi] Brendan's Partition Keys (was Re: Confirmi… Rohan Mahy
- Re: [Mimi] Brendan's Partition Keys (was Re: Conf… Rohan Mahy
- Re: [Mimi] Brendan's Partition Keys (was Re: Conf… Brendan McMillion
- Re: [Mimi] Confirming adoption calls for draft-ba… Alissa Cooper
- Re: [Mimi] Confirming adoption calls for draft-ba… Tim Geoghegan