IETF Logo Mail Archive

Re: [Mimi] Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol

Rohan Mahy <rohan.mahy@gmail.com> Wed, 27 March 2024 05:12 UTC

Return-Path: <rohan.mahy@gmail.com>
X-Original-To: mimi@ietfa.amsl.com
Delivered-To: mimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25626C151984 for <mimi@ietfa.amsl.com>; Tue, 26 Mar 2024 22:12:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6AShDRccE_Y for <mimi@ietfa.amsl.com>; Tue, 26 Mar 2024 22:12:22 -0700 (PDT)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAE01C151527 for <mimi@ietf.org>; Tue, 26 Mar 2024 22:12:21 -0700 (PDT)
Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-56c12c73ed8so3486625a12.2 for <mimi@ietf.org>; Tue, 26 Mar 2024 22:12:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711516340; x=1712121140; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=h17Ccswn3WryjB5bGGqJoFLjjpksonTR741T+JxFA8c=; b=Kn2DZtSpy2hXUz9mwJdj40LwIKS8fUBI0iE2s8MAeV+4vm9J8XfJwKP8ncSwRQixaW ebYHe3n0HvShWH68RWvllxpRVBnOG6UULPF/q0xrz0SNKeMteYyIKAr0V5eZYmZhL7GM lXoWGmfBm89SQFpyIJStsPaIhhA+45oe1TkffCviueERMIt+dMWwCm2vESPY+MlayWUd 4ZHMuNC/fgo1T++8CFcECC9gixAyaT+eW1qgIpbapP1B5943uN3HQHHBJ8z4CUa0EeOn QVBxJjlGeoLUSp9rgvzkCcZvUANn2BMZKh2dMvMxYfupWO2JzAidO9AYzyec2H6LnmHW Zhlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711516340; x=1712121140; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=h17Ccswn3WryjB5bGGqJoFLjjpksonTR741T+JxFA8c=; b=DG5yzPxdi54t6NA/Sv9ZLKi+gKN/6PJo0wE+k9XOyyq3OsJAvvAqNxk9LK+GvkhWBv e8zhTKJpJSeHL0rq6unAuS2ds4Q7QOAFGO+sZHInly+Qu7+SNauGnOmIjvuRuV+u9xXD prN/ADzvREekUbqD2zp/BY1CrAMDwL+AQnVvhUJrBKSMXcB+wrZJWYvLoOZl2MW4Nd7N 7mNTMaGzyWbffcfEbSsXjJ541tccPvfRqb9ekBFvgxjiKDEFhJuFjnTmUBaJntccsgcF b3o5aLFVGItPBJGqCCPnXRye/T5wRZQuPm9fcjbhXKiQ4Uji1x/5Siza9O1MSM33pEbm lYKQ==
X-Forwarded-Encrypted: i=1; AJvYcCXMlVuBvuIvwotrVhcY9m8XxIPq8Br9/pcf7CU6jnXSJyzGSwabpambPHCK6DLmN6O4i4t6/TC4kTlCvM6Q
X-Gm-Message-State: AOJu0YxpjKtVhT4mjlDVaJ+WBMSgSqcDItEXALskoQWJ30nkCd/OrNSh GtZSvBQtsu0wUv0lEaqzeJ87x2VH8AtqhM28aDg4QvP86yKX8dEVb5+l9mTrvdxbGtJPL9IlMG+ LFx3+UgAUfiyoBpKuO6IlZ/c3/kxdOp9MiqQ=
X-Google-Smtp-Source: AGHT+IFy0VtNcA9HocJSf6QtTU8FJIPNk3L5ut5RIxY9ls4yGgi8ylYMlqijrA+qHNBvlG0sHFJQzP6jmxFi46Bzm3k=
X-Received: by 2002:a50:d652:0:b0:56c:17be:5b03 with SMTP id c18-20020a50d652000000b0056c17be5b03mr91494edj.36.1711516339416; Tue, 26 Mar 2024 22:12:19 -0700 (PDT)
MIME-Version: 1.0
References: <8C305FF1-41E2-4E60-94CF-B15A5EEBFC03@cooperw.in> <CAKoiRuYse46M5TiCoCgMhuW=MZrAmfJf0KUkZGX20PJVUmM66Q@mail.gmail.com> <CANd9WG55weUzkDA5MjKxS8cEg=dAaqVOyEsVxEO7p0wA7J7yNw@mail.gmail.com> <CAMRcRGT_hqdO_AEg4oHgmN_sFrpQoPyxuU20Snt1S1Y5ym0qHA@mail.gmail.com> <CAJTd26JOvqpuakznGK5dqUEX2wW1FhvS==Zk+oZKvWgtq+cPFg@mail.gmail.com> <CAL02cgTd=5GCcLpKqB5=XgFq-geUuFrFW-2Cu84F7=3QLdTdLA@mail.gmail.com> <54e875bb-6a35-4879-b7f7-2a33da96b4b4@cs.tcd.ie> <CAKoiRubSCrRrAxDDmpLC8xUdzk3eNUOxBSz0ra6vi_qf95Jvcg@mail.gmail.com> <CAJTd26+pSCwjbQLAQyjMG73tDMPSwFTVt-ZaSOvDtokNXxZazw@mail.gmail.com> <CAKoiRuZ73o7aK8aX8WTArHujy_6EYaGoQqnWfzO_a1-ihrb0rw@mail.gmail.com> <CAJTd26+sZEAvMxk8uS2RJMk+ffFdCAYdgFnYq9Y7t9rJC2cuyA@mail.gmail.com> <CAKoiRubheSkkSHX8Of+j_Tc7CigTpxkKDXT0VVXG7HMru8qW+Q@mail.gmail.com> <CAJTd26KEVoHx1kv=UL_sxDaDOwLuy+-f_8qruJHrZ9enLNfq=A@mail.gmail.com>
In-Reply-To: <CAJTd26KEVoHx1kv=UL_sxDaDOwLuy+-f_8qruJHrZ9enLNfq=A@mail.gmail.com>
From: Rohan Mahy <rohan.mahy@gmail.com>
Date: Tue, 26 Mar 2024 22:12:07 -0700
Message-ID: <CAKoiRub8b3VkBu7E_o9v8V5zBP2Ww7Y=fixxfb6kRO-+AEMpZg@mail.gmail.com>
To: Brendan McMillion <brendanmcmillion@gmail.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Richard Barnes <rlb@ipv.sx>, Suhas Nandakumar <suhasietf@gmail.com>, Travis Ralston <travisr=40matrix.org@dmarc.ietf.org>, Alissa Cooper <alissa@cooperw.in>, mimi@ietf.org
Content-Type: multipart/alternative; boundary="000000000000703e5606149d7325"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mimi/_Op66MITelghLW7vLpayV3knGzY>
Subject: Re: [Mimi] Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol
X-BeenThere: mimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: More Instant Messaging Interoperability <mimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mimi>, <mailto:mimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mimi/>
List-Post: <mailto:mimi@ietf.org>
List-Help: <mailto:mimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mimi>, <mailto:mimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 05:12:23 -0000

Thanks, this helped. Three more comments inline.

In the current draft, KeyPackage requests contain both the requesting
> user's and the target user's identity, and the request is proxied plaintext
> through several providers. Everyone in the system can see "Alice wants to
> talk to Bob." By making KeyPackage requests over OHTTP, only the RSP can
> see "Someone wants to talk to Bob." The RSP might assign bearer tokens so
> that it knows "Someone" is "Alice", but it also could not. The point is the
> RSP has control over the anonymity set, and can define it in a way that
> protects privacy + works with their abuse mitigation.

To be clear, under this approach the LSP knows Alice wants to talk to Bob,
and the RSP might know or require that it knows. It sounds like the salient
difference is that the *hub* does not know Alice wants to talk to Bob.

- What happens if a hub forwards an invalid/unacceptable commit (not
> related to an unwanted Welcome) and all the other clients are offline? How
> does "rollback" work? (Note the current proposal will also need to address
> a subset of this same problem)
>
When honest clients come online, they will ignore the invalid commit. The
> user that sent the invalid commit will either a.) keep sending messages to
> the old epoch, or b.) start sending messages to a new epoch with a new
> partition key. Because the honest clients ignored the commit, they will
> never see/request the messages that went to the new partition key.
> Repeatedly messaging an epoch after sending a Commit, or sending messages
> to a partition key that nobody ever reads, should signal abuse to the
> service provider.

Maybe I need to step back a bit. You said the hub is responsible for
message ordering. If the hub gets a series of commits moving to epoch 13,
then to epoch 14, then to 13, then to 15, then to 14, does the hub send
these in the order it received them, or does it assume a particular epoch
is current until told otherwise?

A hub will accept group messages from any RSP that knows the group ID.


Is there no authentication required by the hub then? It sounds like the
only DoS prevention from a compromised but previously honest LSP is rate
limiting.

Cheers,
-rohan


On Tue, Mar 26, 2024 at 6:58 PM Brendan McMillion <
brendanmcmillion@gmail.com> wrote:

> Responses inline,
>
> On Tue, Mar 26, 2024 at 1:32 PM Rohan Mahy <rohan.mahy@gmail.com> wrote:
>
>> Hi Brendan,
>> Thanks very much for sharing this. This is generally the right level of
>> detail and helps a lot for understanding where you are coming from.
>>
>> A few questions and reactions:
>> - Could you please elaborate on the construction of the bearer tokens? If
>> not done correctly, this can easily leak as much metadata as the design
>> team proposal.
>>
>
> In the current draft, KeyPackage requests contain both the requesting
> user's and the target user's identity, and the request is proxied plaintext
> through several providers. Everyone in the system can see "Alice wants to
> talk to Bob." By making KeyPackage requests over OHTTP, only the RSP can
> see "Someone wants to talk to Bob." The RSP might assign bearer tokens so
> that it knows "Someone" is "Alice", but it also could not. The point is the
> RSP has control over the anonymity set, and can define it in a way that
> protects privacy + works with their abuse mitigation.
>
> The idea of authing with a bearer token that corresponds to an anonymity
> set is a core part of how Sealed Sender works. Allowing users to /verify/
> that they're in an anonymity set isn't required
>
>
>> - How does the hub know when to stop sending messages to an RSP?
>>
>
> If an RSP doesn't have any users that are asking for the messages for a
> group, the RSP will simply stop pulling messages / revoke consent for push
> requests. This is independent of the MLS state.
>
>
>> - What happens if a hub forwards an invalid/unacceptable commit (not
>> related to an unwanted Welcome) and all the other clients are offline? How
>> does "rollback" work? (Note the current proposal will also need to address
>> a subset of this same problem)
>>
>
> When honest clients come online, they will ignore the invalid commit. The
> user that sent the invalid commit will either a.) keep sending messages to
> the old epoch, or b.) start sending messages to a new epoch with a new
> partition key. Because the honest clients ignored the commit, they will
> never see/request the messages that went to the new partition key.
> Repeatedly messaging an epoch after sending a Commit, or sending messages
> to a partition key that nobody ever reads, should signal abuse to the
> service provider.
>
>
>> - Are partition keys shared with any of the providers? If so, how do they
>> use them? If not, what benefit do they provide?
>>
>
> Users share a (group id, epoch, partition key) triplet with their LSP; the
> LSP sends/requests messages from the hub based on this triplet. The flow is
> unidirectional -- users only ever provide partition keys to their LSP, the
> LSP only ever provides them to the hub. The hub uses the provided partition
> key to gate which messages it provides back to the LSP, and the LSP uses
> the partition key to gate which messages it provides back to the user.
>
>
>> - In the self Remove case, an external commit can ignore the proposal,
>> leaving the client in the MLS group, unless it a) uses SelfRemove, b)
>> continues to monitor the group for a Commit showing its removal, or c) uses
>> an extension to insist that external commits include queued proposals.
>>
>
> Yes, these are all valid approaches imo. You would just need an extension
> point to make (a) or (c) implementable
>
>
>> - Do you envision that handshakes on the hub are always either always
>> private or always public for a single MLS group/MIMI room, or could they be
>> a mix?
>>
>
> My initial idea is that maybe clients could negotiate public/private based
> on preferences expressed in a LeafNode extension. But the protocol between
> service providers is neutral to this -- an unencrypted Commit + GroupInfo
> is shuffled around the same as an encrypted Commit. Maybe you would have
> some special compression for transmitting the ratchet tree
>
>
>>
>> Thanks,
>> -rohan
>>
>>
>>
>> On Tue, Mar 26, 2024 at 12:14 PM Brendan McMillion <
>> brendanmcmillion@gmail.com> wrote:
>>
>>> Hi Rohan
>>>
>>> Sure, here's a general approach that I think would meet mimi's goals
>>> better:
>>> https://gist.github.com/Bren2010/d009ba8d702ae3428b31981295455f02
>>>
>>> It's hard for me to see how the pseudonyms approach could possibly be
>>> fruitful. If the reason for requiring PublicMessage is performance (i.e.
>>> having clients upload a linear amount of encrypted data is too expensive
>>> for them), how could a pseudonym scheme possibly authenticate a linear
>>> number of members with sublinear data? Say that it is possible -- why
>>> couldn't this same encryption scheme just be applied directly to the
>>> ratchet tree, instead of adding a layer of indirection that risks voiding
>>> the security of all of MLS?
>>>
>>> If the reason for requiring PublicMessage is to support policy
>>> enforcement, then obviously we don't trust clients to do this themselves.
>>> But if we don't trust clients, the approach of inspecting handshake
>>> messages and trying to actively track the group state actually makes the
>>> protocol more brittle and vulnerable to abuse. The hub server can't verify
>>> group state, so a single malformed message can brick the group in
>>> innumerable different ways and there's nothing that can be done to recover.
>>> If the hub server was out of the way, instead of enforcing it's own idea of
>>> who's in the group and which epoch is most recent, honest clients can
>>> recover from malicious behavior in a straightforward way.
>>>
>>>
>>> On Sun, Mar 24, 2024 at 3:11 PM Rohan Mahy <rohan.mahy@gmail.com> wrote:
>>>
>>>> Hi Brendan,
>>>>
>>>> You characterized the state of the current draft as "freely" sharing a
>>>> lot of metadata with all the providers. I'd like to examine that a bit more.
>>>>
>>>> Assuming each client follows the recommendation in the draft to use a
>>>> unique pseudonym per group (this implies only joining via join/invitation
>>>> links or knocks), the non-local providers know the following:
>>>> - the authorization policy of the group (broadly),
>>>> - how many MLS clients from each provider are in each group,
>>>> - how often each client sends messages,
>>>> - the authorization role(s) assigned to their anonymized users, and
>>>> - (if they reveal it) if there are multiple devices under the same
>>>> pseudonym.
>>>>
>>>> While a user's local provider (which the user has chosen) is sort of
>>>> outside of the scope of MIMI, when it is a hub provider it will at least
>>>> need to disclose machine-readable privacy information for each of its
>>>> rooms. Each client gets to examine the room policy before they join and
>>>> before they accept any change to that policy. This is already way better
>>>> than the status quo. The metadata privacy extensions that Konrad and
>>>> Raphael are working on further improve the privacy situation.
>>>>
>>>> If you think this is setting the privacy bar too low, I think it would
>>>> be reasonable to provide an outline of how you think MIMI could provide
>>>> similar functionality with even less metadata. IMO this doesn't need to be
>>>> an I-D, but at least a page-long email with bullet points.
>>>>
>>>> Thanks,
>>>> -rohan
>>>>
>>>> On Sat, Mar 23, 2024 at 3:45 PM Brendan McMillion <
>>>> brendanmcmillion@gmail.com> wrote:
>>>>
>>>>> Providing the same privacy properties as Signal is incredibly
>>>>> difficult. Nobody is asking mimi to do that. However, the mimi protocol
>>>>> could be a neutral way for service providers to synchronize messages
>>>>> related to a given group. Whether a service provider chooses to receive
>>>>> messages in some exceptionally private way or not, would be the service
>>>>> provider's choice. But instead the drafts require duplicating state between
>>>>> the encryption layer and mimi layer, and this presupposes a certain
>>>>> inescapable amount of metadata leakage.
>>>>>
>>>>> On Sun, Mar 24, 2024 at 1:49 AM Rohan Mahy <rohan.mahy@gmail.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Sat, Mar 23, 2024, 02:38 Stephen Farrell <
>>>>>> stephen.farrell@cs.tcd.ie> wrote:
>>>>>>
>>>>>>> Sounds like a classic loss for privacy.
>>>>>>>
>>>>>>
>>>>>> I argue it is the opposite. Today if you want to join a group chat on
>>>>>> any system other than Signal, the participants surrender much more metadata
>>>>>> than would be revealed to other providers under the proposed MIMI approach
>>>>>> with pseudonyms. In addition, the low metadata approaches (using techniques
>>>>>> such as privacy pass) that Konrad and Raphael are nurturing offer
>>>>>> substantial improvements to privacy.
>>>>>> If we publish a specification that requires all providers to provide
>>>>>> at least Signal-level metadata privacy, it is likely that we will end up
>>>>>> with neither interoperability nor privacy for the vast majority of users.
>>>>>> Thanks,
>>>>>> -rohan
>>>>>>
>>>>>>

v2.23.0 | Report a Bug | By Email