IETF Logo Mail Archive

Re: [Mimi] Brendan's Partition Keys (was Re: Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol)

Rohan Mahy <rohan.mahy@gmail.com> Fri, 29 March 2024 06:21 UTC

Return-Path: <rohan.mahy@gmail.com>
X-Original-To: mimi@ietfa.amsl.com
Delivered-To: mimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F4D1C180B4F for <mimi@ietfa.amsl.com>; Thu, 28 Mar 2024 23:21:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 76zJFtuDJ_u5 for <mimi@ietfa.amsl.com>; Thu, 28 Mar 2024 23:21:25 -0700 (PDT)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AA94C137366 for <mimi@ietf.org>; Thu, 28 Mar 2024 23:21:25 -0700 (PDT)
Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-56c2b4850d2so2042155a12.2 for <mimi@ietf.org>; Thu, 28 Mar 2024 23:21:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711693283; x=1712298083; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7tX/IlIsV1iPH7uHbSvt3pVqO7onVHX7ugO7m+laKjc=; b=O6a9ZUXkPW97DNLJ8b0tDb75rlN/7IWoteg3mg5fNhImUhuFn07yb74E4G8dv7jdSd MNO04NvPnj3nNjbP0+cDHAh0lV2izYkJUnUwDYMD58Pkm3ldIoAo61eptZNknBJN9RZx II03Rr/NgSqgeQMPEox+gJB2yzGx4W2ANxvoFKfy+tPU47Wz+zIVF757eGxnV8ypvMBc 6zx7gEFErS6d2q7GTUHrv9O4tGZlUnkZ+8TvRg9dRRV2gJYl+SgvQYUL6XzbGePdZZzV aogSM27kMr3GYDhZxaqAAUKgbn+LIT9LTAVhUZtsEotUuNwTyrIJw1SsmhAsoVXvXg/B JzcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711693283; x=1712298083; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7tX/IlIsV1iPH7uHbSvt3pVqO7onVHX7ugO7m+laKjc=; b=VanQHsnUhX2Ouc7SPfl7Wbt8B6ub7WEH6D3fUxuPbDqMoZtz/Y8c8oors/9SuV2Ufb uQNeEbuq69Em300ykJ2eFcqOl25BXFUJceFy1eMVnoY36S0dg1Ldx1PtlgemjrJxfXUL EqNrMxRL7RAcpINiSM03Y/7uTJee0kAcnF3dCvDS/bdd2wnWFIDz/SkAibxe9PFT1yP4 rJ2ONUqsxWzvw2cqFNlazVKH0lKXMnaNkoGVu9YIAYvo6cQcjbgouEDVPJPjQhZHLUob ZQUIUWfK01zBtK1h9vDvMhFafxZIhlwLP9np96Kd1Xz22GWGXYiSRb8c2WVaMI4PBSzc ZtIA==
X-Gm-Message-State: AOJu0YxwnFhoF/HmaUKXaXThwiCIcH9tq5fU+W8S+Mg0P0na58D3hpwA nHKo7xt8CpZTpKmR2sglN0U1sxM682zpsEd4SC9V6D7ioTQOyoj0VZ/jXssWBN++MQVzTwIyNbN Cw3T9Dvw3gPdr5uXTZbCVJmzsAFc=
X-Google-Smtp-Source: AGHT+IGUKNUgS4DjRvyCgT4AMm/XDrbRF9G7GQtGRxYeDfwFzKa0n+McXecXCOrGtE/tbvVBdabF5gk6nt5CBxjo4FY=
X-Received: by 2002:a50:d656:0:b0:56b:dd0c:b206 with SMTP id c22-20020a50d656000000b0056bdd0cb206mr809636edj.18.1711693283020; Thu, 28 Mar 2024 23:21:23 -0700 (PDT)
MIME-Version: 1.0
References: <8C305FF1-41E2-4E60-94CF-B15A5EEBFC03@cooperw.in> <CAKoiRuYse46M5TiCoCgMhuW=MZrAmfJf0KUkZGX20PJVUmM66Q@mail.gmail.com> <CANd9WG55weUzkDA5MjKxS8cEg=dAaqVOyEsVxEO7p0wA7J7yNw@mail.gmail.com> <CAMRcRGT_hqdO_AEg4oHgmN_sFrpQoPyxuU20Snt1S1Y5ym0qHA@mail.gmail.com> <CAJTd26JOvqpuakznGK5dqUEX2wW1FhvS==Zk+oZKvWgtq+cPFg@mail.gmail.com> <CAL02cgTd=5GCcLpKqB5=XgFq-geUuFrFW-2Cu84F7=3QLdTdLA@mail.gmail.com> <54e875bb-6a35-4879-b7f7-2a33da96b4b4@cs.tcd.ie> <CAKoiRubSCrRrAxDDmpLC8xUdzk3eNUOxBSz0ra6vi_qf95Jvcg@mail.gmail.com> <CAJTd26+pSCwjbQLAQyjMG73tDMPSwFTVt-ZaSOvDtokNXxZazw@mail.gmail.com> <CAKoiRuZ73o7aK8aX8WTArHujy_6EYaGoQqnWfzO_a1-ihrb0rw@mail.gmail.com> <CAJTd26+sZEAvMxk8uS2RJMk+ffFdCAYdgFnYq9Y7t9rJC2cuyA@mail.gmail.com> <CAKoiRuY72u2UT4ThToYFZY6QHa2UgpxH-iXZiKP1pPd4AANt3w@mail.gmail.com>
In-Reply-To: <CAKoiRuY72u2UT4ThToYFZY6QHa2UgpxH-iXZiKP1pPd4AANt3w@mail.gmail.com>
From: Rohan Mahy <rohan.mahy@gmail.com>
Date: Thu, 28 Mar 2024 23:21:11 -0700
Message-ID: <CAKoiRuZEAkM4vq66V02Jh7-=8-yc0ayUcH0pQfZPOaBH032z4A@mail.gmail.com>
To: Brendan McMillion <brendanmcmillion@gmail.com>
Cc: mimi@ietf.org
Content-Type: multipart/alternative; boundary="00000000000019598b0614c6a65e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mimi/bZ_CBxB83y7vHGnAtawrAX90Aow>
Subject: Re: [Mimi] Brendan's Partition Keys (was Re: Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol)
X-BeenThere: mimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: More Instant Messaging Interoperability <mimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mimi>, <mailto:mimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mimi/>
List-Post: <mailto:mimi@ietf.org>
List-Help: <mailto:mimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mimi>, <mailto:mimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2024 06:21:29 -0000

Sorry, I typed "privacy keys" instead of "partition keys" in a few places
in my message.

Brendan's gist uses partition keys between the RSP and the hub. I think
this is a bad idea because of the extra rountrips needed when an offline
client comes back online and the potential privacy leakage. That doesn't
mean it wouldn't be potentially useful between the RSP and its client, or
as an internal filtering mechanism among messages on the client.
Thanks,
-rohan



On Thu, Mar 28, 2024, 22:14 Rohan Mahy <rohan.mahy@gmail.com> wrote:

> Hi Brendan,
> I realized that the privacy keys in your gist have some negative
> implications for offline use and also leak private timing information.
>
> A partition key is a short secret exported from the MLS key schedule.
>> Whenever users send or receive group messages, they provide the partition
>> key for the current epoch. Messages sent with a given partition key are
>> only provided to users who request to receive messages with the same
>> partition key. (Exceptions may be selectively made for external commits /
>> proposals, given that the sender isn't in the group yet.)
>
>
> So if a user is offline and was "subscribed" to the privacy key for group
> "clubhouse" in epoch 13, its RSP will receive app messages in that group
> and the Commit that moves it to epoch 14, however the RSP won't request
> anything for subsequent epochs while its client is offline. The hub has to
> keep messages as long as the longest period that an individual client on
> any of the providers can be offline. It also means a client will need
> several round trips to subscribe for messages as a busy group transitions
> from epoch to epoch. This is not great for the user experience, especially
> if the client is on a high-latency connection.
>
> If the RSP has relatively few users, this also leaks a lot of timing
> information about when clients of the RSP are online and offline.
>
> Thanks,
> -rohan
>
> On Tue, Mar 26, 2024 at 12:14 PM Brendan McMillion <
> brendanmcmillion@gmail.com> wrote:
>
>> Hi Rohan
>>
>> Sure, here's a general approach that I think would meet mimi's goals
>> better: https://gist.github.com/Bren2010/d009ba8d702ae3428b31981295455f02
>>
>> It's hard for me to see how the pseudonyms approach could possibly be
>> fruitful. If the reason for requiring PublicMessage is performance (i.e.
>> having clients upload a linear amount of encrypted data is too expensive
>> for them), how could a pseudonym scheme possibly authenticate a linear
>> number of members with sublinear data? Say that it is possible -- why
>> couldn't this same encryption scheme just be applied directly to the
>> ratchet tree, instead of adding a layer of indirection that risks voiding
>> the security of all of MLS?
>>
>> If the reason for requiring PublicMessage is to support policy
>> enforcement, then obviously we don't trust clients to do this themselves.
>> But if we don't trust clients, the approach of inspecting handshake
>> messages and trying to actively track the group state actually makes the
>> protocol more brittle and vulnerable to abuse. The hub server can't verify
>> group state, so a single malformed message can brick the group in
>> innumerable different ways and there's nothing that can be done to recover.
>> If the hub server was out of the way, instead of enforcing it's own idea of
>> who's in the group and which epoch is most recent, honest clients can
>> recover from malicious behavior in a straightforward way.
>>
>>
>> On Sun, Mar 24, 2024 at 3:11 PM Rohan Mahy <rohan.mahy@gmail.com> wrote:
>>
>>> Hi Brendan,
>>>
>>> You characterized the state of the current draft as "freely" sharing a
>>> lot of metadata with all the providers. I'd like to examine that a bit more.
>>>
>>> Assuming each client follows the recommendation in the draft to use a
>>> unique pseudonym per group (this implies only joining via join/invitation
>>> links or knocks), the non-local providers know the following:
>>> - the authorization policy of the group (broadly),
>>> - how many MLS clients from each provider are in each group,
>>> - how often each client sends messages,
>>> - the authorization role(s) assigned to their anonymized users, and
>>> - (if they reveal it) if there are multiple devices under the same
>>> pseudonym.
>>>
>>> While a user's local provider (which the user has chosen) is sort of
>>> outside of the scope of MIMI, when it is a hub provider it will at least
>>> need to disclose machine-readable privacy information for each of its
>>> rooms. Each client gets to examine the room policy before they join and
>>> before they accept any change to that policy. This is already way better
>>> than the status quo. The metadata privacy extensions that Konrad and
>>> Raphael are working on further improve the privacy situation.
>>>
>>> If you think this is setting the privacy bar too low, I think it would
>>> be reasonable to provide an outline of how you think MIMI could provide
>>> similar functionality with even less metadata. IMO this doesn't need to be
>>> an I-D, but at least a page-long email with bullet points.
>>>
>>> Thanks,
>>> -rohan
>>>
>>> On Sat, Mar 23, 2024 at 3:45 PM Brendan McMillion <
>>> brendanmcmillion@gmail.com> wrote:
>>>
>>>> Providing the same privacy properties as Signal is incredibly
>>>> difficult. Nobody is asking mimi to do that. However, the mimi protocol
>>>> could be a neutral way for service providers to synchronize messages
>>>> related to a given group. Whether a service provider chooses to receive
>>>> messages in some exceptionally private way or not, would be the service
>>>> provider's choice. But instead the drafts require duplicating state between
>>>> the encryption layer and mimi layer, and this presupposes a certain
>>>> inescapable amount of metadata leakage.
>>>>
>>>> On Sun, Mar 24, 2024 at 1:49 AM Rohan Mahy <rohan.mahy@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Sat, Mar 23, 2024, 02:38 Stephen Farrell <stephen.farrell@cs.tcd.ie>
>>>>> wrote:
>>>>>
>>>>>> Sounds like a classic loss for privacy.
>>>>>>
>>>>>
>>>>> I argue it is the opposite. Today if you want to join a group chat on
>>>>> any system other than Signal, the participants surrender much more metadata
>>>>> than would be revealed to other providers under the proposed MIMI approach
>>>>> with pseudonyms. In addition, the low metadata approaches (using techniques
>>>>> such as privacy pass) that Konrad and Raphael are nurturing offer
>>>>> substantial improvements to privacy.
>>>>> If we publish a specification that requires all providers to provide
>>>>> at least Signal-level metadata privacy, it is likely that we will end up
>>>>> with neither interoperability nor privacy for the vast majority of users.
>>>>> Thanks,
>>>>> -rohan
>>>>>
>>>>> --
> Mimi mailing list
> Mimi@ietf.org
> https://www.ietf.org/mailman/listinfo/mimi
>

v2.23.0 | Report a Bug | By Email