IETF Logo Mail Archive

Re: [Mimi] Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol

Brendan McMillion <brendanmcmillion@gmail.com> Wed, 27 March 2024 01:58 UTC

Return-Path: <brendanmcmillion@gmail.com>
X-Original-To: mimi@ietfa.amsl.com
Delivered-To: mimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE75AC14F6A4 for <mimi@ietfa.amsl.com>; Tue, 26 Mar 2024 18:58:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8lZv8BA9leMH for <mimi@ietfa.amsl.com>; Tue, 26 Mar 2024 18:58:30 -0700 (PDT)
Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com [IPv6:2607:f8b0:4864:20::e33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC9ACC14F618 for <mimi@ietf.org>; Tue, 26 Mar 2024 18:58:30 -0700 (PDT)
Received: by mail-vs1-xe33.google.com with SMTP id ada2fe7eead31-4765cffb446so2681772137.0 for <mimi@ietf.org>; Tue, 26 Mar 2024 18:58:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711504709; x=1712109509; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=enih6O91wXWPyjGrFsGPn2vhVd+Y+d70OCfETprBnl0=; b=VFxnVEpCfOG/BiBCOlp/zwSsqcL2CtWUTzBs2YorTO6ptiWIuz312lIG9gNhtyooKc tvOpSOvbOVXnxnKkfKkabbWz8mcryZ/9EpCeuKAqeRZkOzaELY7T9m0xbLbMVsl/gSIH pMKDn38RQtvxFApfnYep08YHcdwvCnKwc4nO2nfFnNj8Yu/ni+J5y//C2rOSt3TY2p9t vbn2ztAUWLlVDCgn6G3xHwZL6d600AiaFwtzn9cPQeTzNoO3rguZ0im91Xwavu2dH89U eZHPluWgoDCmnPj/BAmLb7bd7XDeem+BSAvbMYBIpcN8rAQtrDATuUyNJO6+wUXr0exb a86g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711504709; x=1712109509; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=enih6O91wXWPyjGrFsGPn2vhVd+Y+d70OCfETprBnl0=; b=eUdj4NxaDmekfqyEdh78guyVgzHQ3z1tfJ6M0Qbczt4PIm8bgrdmREywUyOBBdmTka TN8Nsj34LKxlvdEX4FTsJ9AKVNw0wFo7/bz4JHkxJ9BWmJTN42ad1zVUzp2l8DHnzIbg j47ACNjNmlw2A1KWVhFBZKR07B6zqa8t6iYnHWhz07Qr2H5YDP9j0UWNAKDJ3430A6ov Z2qQbxIUaIAkoSchcD8samYa/rQzuIu9ltvVigv7eN+7ArlhQ/v2ulsVKEpSbSn0167P lBTOpmY9MKGvluf5TXPo0+18xt+bWmJV4Y+6cy+S5T8Z9JSzJj04FErndAxMraluk7XN Lr8A==
X-Forwarded-Encrypted: i=1; AJvYcCUu0bEgXeSXY7KMDXQI+pCZ1uJ1OEK05PeR1+lBBkLWfoHJOOZeDDsFcUQlPyaHnFYGUCs1QK/46RWdPX+D
X-Gm-Message-State: AOJu0YwZOFpGTJWO5vEGwgDuH9V9yHRQUztHbHRebsauxD5xlasIx7OI du9h052+AeHq4RSZ9AD07NCs2+I8whyNIVGjEhkRAgZ7lzS0QEjOii9p5dtQvavHE48Pxt9u0ud oP5t1e1fHYZkS96K0VhJcXiXds/KTIGWFjjQrVQ==
X-Google-Smtp-Source: AGHT+IEM3xdC+vTVY+g3u1e/zCW7I4XBvIgMMTKsxWkgXKSALTb3BYsrkAJI1oKWigkzfUi/2bJujiJ22LCpB1R6c1I=
X-Received: by 2002:a67:f499:0:b0:476:d26c:dfbf with SMTP id o25-20020a67f499000000b00476d26cdfbfmr2712419vsn.28.1711504709380; Tue, 26 Mar 2024 18:58:29 -0700 (PDT)
MIME-Version: 1.0
References: <8C305FF1-41E2-4E60-94CF-B15A5EEBFC03@cooperw.in> <CAKoiRuYse46M5TiCoCgMhuW=MZrAmfJf0KUkZGX20PJVUmM66Q@mail.gmail.com> <CANd9WG55weUzkDA5MjKxS8cEg=dAaqVOyEsVxEO7p0wA7J7yNw@mail.gmail.com> <CAMRcRGT_hqdO_AEg4oHgmN_sFrpQoPyxuU20Snt1S1Y5ym0qHA@mail.gmail.com> <CAJTd26JOvqpuakznGK5dqUEX2wW1FhvS==Zk+oZKvWgtq+cPFg@mail.gmail.com> <CAL02cgTd=5GCcLpKqB5=XgFq-geUuFrFW-2Cu84F7=3QLdTdLA@mail.gmail.com> <54e875bb-6a35-4879-b7f7-2a33da96b4b4@cs.tcd.ie> <CAKoiRubSCrRrAxDDmpLC8xUdzk3eNUOxBSz0ra6vi_qf95Jvcg@mail.gmail.com> <CAJTd26+pSCwjbQLAQyjMG73tDMPSwFTVt-ZaSOvDtokNXxZazw@mail.gmail.com> <CAKoiRuZ73o7aK8aX8WTArHujy_6EYaGoQqnWfzO_a1-ihrb0rw@mail.gmail.com> <CAJTd26+sZEAvMxk8uS2RJMk+ffFdCAYdgFnYq9Y7t9rJC2cuyA@mail.gmail.com> <CAKoiRubheSkkSHX8Of+j_Tc7CigTpxkKDXT0VVXG7HMru8qW+Q@mail.gmail.com>
In-Reply-To: <CAKoiRubheSkkSHX8Of+j_Tc7CigTpxkKDXT0VVXG7HMru8qW+Q@mail.gmail.com>
From: Brendan McMillion <brendanmcmillion@gmail.com>
Date: Tue, 26 Mar 2024 18:58:18 -0700
Message-ID: <CAJTd26KEVoHx1kv=UL_sxDaDOwLuy+-f_8qruJHrZ9enLNfq=A@mail.gmail.com>
To: Rohan Mahy <rohan.mahy@gmail.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Richard Barnes <rlb@ipv.sx>, Suhas Nandakumar <suhasietf@gmail.com>, Travis Ralston <travisr=40matrix.org@dmarc.ietf.org>, Alissa Cooper <alissa@cooperw.in>, mimi@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003bf1fa06149abe32"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mimi/YI6ATenPitzdTSibr2YqQB4lXiI>
Subject: Re: [Mimi] Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol
X-BeenThere: mimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: More Instant Messaging Interoperability <mimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mimi>, <mailto:mimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mimi/>
List-Post: <mailto:mimi@ietf.org>
List-Help: <mailto:mimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mimi>, <mailto:mimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 01:58:31 -0000

Responses inline,

On Tue, Mar 26, 2024 at 1:32 PM Rohan Mahy <rohan.mahy@gmail.com> wrote:

> Hi Brendan,
> Thanks very much for sharing this. This is generally the right level of
> detail and helps a lot for understanding where you are coming from.
>
> A few questions and reactions:
> - Could you please elaborate on the construction of the bearer tokens? If
> not done correctly, this can easily leak as much metadata as the design
> team proposal.
>

In the current draft, KeyPackage requests contain both the requesting
user's and the target user's identity, and the request is proxied plaintext
through several providers. Everyone in the system can see "Alice wants to
talk to Bob." By making KeyPackage requests over OHTTP, only the RSP can
see "Someone wants to talk to Bob." The RSP might assign bearer tokens so
that it knows "Someone" is "Alice", but it also could not. The point is the
RSP has control over the anonymity set, and can define it in a way that
protects privacy + works with their abuse mitigation.

The idea of authing with a bearer token that corresponds to an anonymity
set is a core part of how Sealed Sender works. Allowing users to /verify/
that they're in an anonymity set isn't required


> - How does the hub know when to stop sending messages to an RSP?
>

If an RSP doesn't have any users that are asking for the messages for a
group, the RSP will simply stop pulling messages / revoke consent for push
requests. This is independent of the MLS state.


> - What happens if a hub forwards an invalid/unacceptable commit (not
> related to an unwanted Welcome) and all the other clients are offline? How
> does "rollback" work? (Note the current proposal will also need to address
> a subset of this same problem)
>

When honest clients come online, they will ignore the invalid commit. The
user that sent the invalid commit will either a.) keep sending messages to
the old epoch, or b.) start sending messages to a new epoch with a new
partition key. Because the honest clients ignored the commit, they will
never see/request the messages that went to the new partition key.
Repeatedly messaging an epoch after sending a Commit, or sending messages
to a partition key that nobody ever reads, should signal abuse to the
service provider.


> - Are partition keys shared with any of the providers? If so, how do they
> use them? If not, what benefit do they provide?
>

Users share a (group id, epoch, partition key) triplet with their LSP; the
LSP sends/requests messages from the hub based on this triplet. The flow is
unidirectional -- users only ever provide partition keys to their LSP, the
LSP only ever provides them to the hub. The hub uses the provided partition
key to gate which messages it provides back to the LSP, and the LSP uses
the partition key to gate which messages it provides back to the user.


> - In the self Remove case, an external commit can ignore the proposal,
> leaving the client in the MLS group, unless it a) uses SelfRemove, b)
> continues to monitor the group for a Commit showing its removal, or c) uses
> an extension to insist that external commits include queued proposals.
>

Yes, these are all valid approaches imo. You would just need an extension
point to make (a) or (c) implementable


> - Do you envision that handshakes on the hub are always either always
> private or always public for a single MLS group/MIMI room, or could they be
> a mix?
>

My initial idea is that maybe clients could negotiate public/private based
on preferences expressed in a LeafNode extension. But the protocol between
service providers is neutral to this -- an unencrypted Commit + GroupInfo
is shuffled around the same as an encrypted Commit. Maybe you would have
some special compression for transmitting the ratchet tree


>
> Thanks,
> -rohan
>
>
>
> On Tue, Mar 26, 2024 at 12:14 PM Brendan McMillion <
> brendanmcmillion@gmail.com> wrote:
>
>> Hi Rohan
>>
>> Sure, here's a general approach that I think would meet mimi's goals
>> better: https://gist.github.com/Bren2010/d009ba8d702ae3428b31981295455f02
>>
>> It's hard for me to see how the pseudonyms approach could possibly be
>> fruitful. If the reason for requiring PublicMessage is performance (i.e.
>> having clients upload a linear amount of encrypted data is too expensive
>> for them), how could a pseudonym scheme possibly authenticate a linear
>> number of members with sublinear data? Say that it is possible -- why
>> couldn't this same encryption scheme just be applied directly to the
>> ratchet tree, instead of adding a layer of indirection that risks voiding
>> the security of all of MLS?
>>
>> If the reason for requiring PublicMessage is to support policy
>> enforcement, then obviously we don't trust clients to do this themselves.
>> But if we don't trust clients, the approach of inspecting handshake
>> messages and trying to actively track the group state actually makes the
>> protocol more brittle and vulnerable to abuse. The hub server can't verify
>> group state, so a single malformed message can brick the group in
>> innumerable different ways and there's nothing that can be done to recover.
>> If the hub server was out of the way, instead of enforcing it's own idea of
>> who's in the group and which epoch is most recent, honest clients can
>> recover from malicious behavior in a straightforward way.
>>
>>
>> On Sun, Mar 24, 2024 at 3:11 PM Rohan Mahy <rohan.mahy@gmail.com> wrote:
>>
>>> Hi Brendan,
>>>
>>> You characterized the state of the current draft as "freely" sharing a
>>> lot of metadata with all the providers. I'd like to examine that a bit more.
>>>
>>> Assuming each client follows the recommendation in the draft to use a
>>> unique pseudonym per group (this implies only joining via join/invitation
>>> links or knocks), the non-local providers know the following:
>>> - the authorization policy of the group (broadly),
>>> - how many MLS clients from each provider are in each group,
>>> - how often each client sends messages,
>>> - the authorization role(s) assigned to their anonymized users, and
>>> - (if they reveal it) if there are multiple devices under the same
>>> pseudonym.
>>>
>>> While a user's local provider (which the user has chosen) is sort of
>>> outside of the scope of MIMI, when it is a hub provider it will at least
>>> need to disclose machine-readable privacy information for each of its
>>> rooms. Each client gets to examine the room policy before they join and
>>> before they accept any change to that policy. This is already way better
>>> than the status quo. The metadata privacy extensions that Konrad and
>>> Raphael are working on further improve the privacy situation.
>>>
>>> If you think this is setting the privacy bar too low, I think it would
>>> be reasonable to provide an outline of how you think MIMI could provide
>>> similar functionality with even less metadata. IMO this doesn't need to be
>>> an I-D, but at least a page-long email with bullet points.
>>>
>>> Thanks,
>>> -rohan
>>>
>>> On Sat, Mar 23, 2024 at 3:45 PM Brendan McMillion <
>>> brendanmcmillion@gmail.com> wrote:
>>>
>>>> Providing the same privacy properties as Signal is incredibly
>>>> difficult. Nobody is asking mimi to do that. However, the mimi protocol
>>>> could be a neutral way for service providers to synchronize messages
>>>> related to a given group. Whether a service provider chooses to receive
>>>> messages in some exceptionally private way or not, would be the service
>>>> provider's choice. But instead the drafts require duplicating state between
>>>> the encryption layer and mimi layer, and this presupposes a certain
>>>> inescapable amount of metadata leakage.
>>>>
>>>> On Sun, Mar 24, 2024 at 1:49 AM Rohan Mahy <rohan.mahy@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Sat, Mar 23, 2024, 02:38 Stephen Farrell <stephen.farrell@cs.tcd.ie>
>>>>> wrote:
>>>>>
>>>>>> Sounds like a classic loss for privacy.
>>>>>>
>>>>>
>>>>> I argue it is the opposite. Today if you want to join a group chat on
>>>>> any system other than Signal, the participants surrender much more metadata
>>>>> than would be revealed to other providers under the proposed MIMI approach
>>>>> with pseudonyms. In addition, the low metadata approaches (using techniques
>>>>> such as privacy pass) that Konrad and Raphael are nurturing offer
>>>>> substantial improvements to privacy.
>>>>> If we publish a specification that requires all providers to provide
>>>>> at least Signal-level metadata privacy, it is likely that we will end up
>>>>> with neither interoperability nor privacy for the vast majority of users.
>>>>> Thanks,
>>>>> -rohan
>>>>>
>>>>>

v2.23.0 | Report a Bug | By Email