IETF Logo Mail Archive

Re: [Mimi] Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol

Brendan McMillion <brendanmcmillion@gmail.com> Wed, 27 March 2024 07:51 UTC

Return-Path: <brendanmcmillion@gmail.com>
X-Original-To: mimi@ietfa.amsl.com
Delivered-To: mimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28BBDC151063 for <mimi@ietfa.amsl.com>; Wed, 27 Mar 2024 00:51:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 92zKF16e_lyJ for <mimi@ietfa.amsl.com>; Wed, 27 Mar 2024 00:51:28 -0700 (PDT)
Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8EC6C151062 for <mimi@ietf.org>; Wed, 27 Mar 2024 00:51:28 -0700 (PDT)
Received: by mail-ua1-x92e.google.com with SMTP id a1e0cc1a2514c-7e09ad21b34so1798924241.0 for <mimi@ietf.org>; Wed, 27 Mar 2024 00:51:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711525887; x=1712130687; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5y7J9j5egfCIfTcxsnWVJ2iAv8Jpoz+fidny6FFsgLg=; b=k63a2r2Oq3X4K8wA4+LuwrnHgTWbLHVFWICZQobHh8Y6CEdoWFiOoyx1RsJmkh4kYV HNSWC1uGSUkA5txpwey4QKBhKGshKbnxWJQ83oIGrCIRpd6YErZXXCYkAq7MM7juW+SC FpnMGNPLVgfz0NRfWE6UKBPFCh2AY4armA39Smuy83BNj13nZgpaQgjrVSZtaNMkFd4d Q2MWXFT57crNmCnVvqMpYCQw9XbT6FKt48Ub7dYGAtXXreCgTrqECv3xfLiU3QuWrQNQ aLWaytheZEBJfo2M76CgCdzulqLHhUVZ/Kzw3xiWqLFITSnLPOKDYrFZqvtKuqmKx381 NoEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711525887; x=1712130687; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5y7J9j5egfCIfTcxsnWVJ2iAv8Jpoz+fidny6FFsgLg=; b=aaw91qbVcNhDVLESm0f6Rv0asbZUEwp+nHrvFZnBaPHh1vSCR1+xvaUryMdtdJBRoS pblLYyqo1njN78A72ReHjGJQtjpYGTQWGPbWRgQdNdudx1DWPogul0O9EarmJ7aa7wAq 6ph52KDIG5ffINTDMtnYtB1vG+IiH6de44R3cb7d2D/FKxtetHTYhpg0/P2UBf8lRrxJ F5N139c8qZw7heWagc4EOXYnUtvEzVdDbTMB4aG+BAQDyCLiX91aXAiBsoVm8aZoX6TN 3OBAbPZw6Zg7tnrmNrvmiOyJ2/X4zmoBafwIt65rivAH1s+DUyRc3lKpiSAQ1OYX5LrO gJxg==
X-Forwarded-Encrypted: i=1; AJvYcCVHteqZoDNTa3us+iOebTzmvu1xjdDy+TyLMagiTfnEmIlngrfyIeAKORyLfJsUVKJYHFhATu2QJiY54T0m
X-Gm-Message-State: AOJu0YwvATlYihNUt3aaD6u6Ot+g7iyF+AchgMroYg0c8NeMGPbMF6Jm gAnFXkDCzdyxDnKr5oHxTlKOx5WjkuDnrlQThwC/3Vi69/yQdbrnXRYWOjRw+nbeloiT7jpLyU5 xcAIxvb86/r55mJJ58kDOI9zlWnxnSfleis/cwQ==
X-Google-Smtp-Source: AGHT+IFPaIJ6x33A1P3tjoMKmJsH/ZrAQzHUkvb74YNNev/0u5S7pzLuJW0DWriENVNv+hPxhAZnSudcmGHZbvKIGBY=
X-Received: by 2002:a67:f30e:0:b0:475:c159:2bc3 with SMTP id p14-20020a67f30e000000b00475c1592bc3mr2129257vsf.5.1711525887378; Wed, 27 Mar 2024 00:51:27 -0700 (PDT)
MIME-Version: 1.0
References: <8C305FF1-41E2-4E60-94CF-B15A5EEBFC03@cooperw.in> <CAKoiRuYse46M5TiCoCgMhuW=MZrAmfJf0KUkZGX20PJVUmM66Q@mail.gmail.com> <CANd9WG55weUzkDA5MjKxS8cEg=dAaqVOyEsVxEO7p0wA7J7yNw@mail.gmail.com> <CAMRcRGT_hqdO_AEg4oHgmN_sFrpQoPyxuU20Snt1S1Y5ym0qHA@mail.gmail.com> <CAJTd26JOvqpuakznGK5dqUEX2wW1FhvS==Zk+oZKvWgtq+cPFg@mail.gmail.com> <CAL02cgTd=5GCcLpKqB5=XgFq-geUuFrFW-2Cu84F7=3QLdTdLA@mail.gmail.com> <54e875bb-6a35-4879-b7f7-2a33da96b4b4@cs.tcd.ie> <CAKoiRubSCrRrAxDDmpLC8xUdzk3eNUOxBSz0ra6vi_qf95Jvcg@mail.gmail.com> <CAJTd26+pSCwjbQLAQyjMG73tDMPSwFTVt-ZaSOvDtokNXxZazw@mail.gmail.com> <CAKoiRuZ73o7aK8aX8WTArHujy_6EYaGoQqnWfzO_a1-ihrb0rw@mail.gmail.com> <CAJTd26+sZEAvMxk8uS2RJMk+ffFdCAYdgFnYq9Y7t9rJC2cuyA@mail.gmail.com> <CAKoiRubheSkkSHX8Of+j_Tc7CigTpxkKDXT0VVXG7HMru8qW+Q@mail.gmail.com> <CAJTd26KEVoHx1kv=UL_sxDaDOwLuy+-f_8qruJHrZ9enLNfq=A@mail.gmail.com> <CAKoiRub8b3VkBu7E_o9v8V5zBP2Ww7Y=fixxfb6kRO-+AEMpZg@mail.gmail.com>
In-Reply-To: <CAKoiRub8b3VkBu7E_o9v8V5zBP2Ww7Y=fixxfb6kRO-+AEMpZg@mail.gmail.com>
From: Brendan McMillion <brendanmcmillion@gmail.com>
Date: Wed, 27 Mar 2024 00:51:16 -0700
Message-ID: <CAJTd26+VA3-4+yt6oTMrmkwx_GYFA+XEBXwJ11eA3e9qgoUAxg@mail.gmail.com>
To: Rohan Mahy <rohan.mahy@gmail.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Richard Barnes <rlb@ipv.sx>, Suhas Nandakumar <suhasietf@gmail.com>, Travis Ralston <travisr=40matrix.org@dmarc.ietf.org>, Alissa Cooper <alissa@cooperw.in>, mimi@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008a8f3606149fac00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mimi/poSfjm0gtoED_yOm6zhmhis23eU>
Subject: Re: [Mimi] Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol
X-BeenThere: mimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: More Instant Messaging Interoperability <mimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mimi>, <mailto:mimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mimi/>
List-Post: <mailto:mimi@ietf.org>
List-Help: <mailto:mimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mimi>, <mailto:mimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 07:51:30 -0000

>
> To be clear, under this approach the LSP knows Alice wants to talk to Bob,
> and the RSP might know or require that it knows. It sounds like the salient
> difference is that the *hub* does not know Alice wants to talk to Bob.
>

The LSP should only be able to see "Alice wants to talk to one of
RSP's users" because of the masking provided by OHTTP. The privacy property
I generally want is that no service provider should need visibility into
another provider's users

Maybe I need to step back a bit. You said the hub is responsible for
> message ordering. If the hub gets a series of commits moving to epoch 13,
> then to epoch 14, then to 13, then to 15, then to 14, does the hub send
> these in the order it received them, or does it assume a particular epoch
> is current until told otherwise?


Note that the partition key changes each epoch. A user starting at epoch 13
would process the commit at epoch 13, compute the new partition key, then
share that with its LSP. The LSP would get the commit for epoch 14 with the
same partition key, the user would process it, compute the new partition
key, share that with its LSP. And so on. This is how users would
navigate forks in the group state. It requires one roundtrip per epoch, but
the server could always do an http/2 push if it's confident what the next
request will be.

If there are several commits in the same epoch, that's obviously easier.
The hub just provides them in the order received and the first valid one is
the winner.

Is there no authentication required by the hub then? It sounds like the
> only DoS prevention from a compromised but previously honest LSP is rate
> limiting.


Yes, such a service provider could push junk data to the hub. Assuming none
of the service provider's users are members of the group anymore, then none
of the spam would be seen by group members, as the correct partition key
wouldn't be known. You would trigger the abuse mitigation, as you would be
sending a bunch of data to partition keys that nobody seems to be reading.

On Tue, Mar 26, 2024 at 10:12 PM Rohan Mahy <rohan.mahy@gmail.com> wrote:

> Thanks, this helped. Three more comments inline.
>
> In the current draft, KeyPackage requests contain both the requesting
>> user's and the target user's identity, and the request is proxied plaintext
>> through several providers. Everyone in the system can see "Alice wants to
>> talk to Bob." By making KeyPackage requests over OHTTP, only the RSP can
>> see "Someone wants to talk to Bob." The RSP might assign bearer tokens so
>> that it knows "Someone" is "Alice", but it also could not. The point is the
>> RSP has control over the anonymity set, and can define it in a way that
>> protects privacy + works with their abuse mitigation.
>
> To be clear, under this approach the LSP knows Alice wants to talk to Bob,
> and the RSP might know or require that it knows. It sounds like the salient
> difference is that the *hub* does not know Alice wants to talk to Bob.
>
> - What happens if a hub forwards an invalid/unacceptable commit (not
>> related to an unwanted Welcome) and all the other clients are offline? How
>> does "rollback" work? (Note the current proposal will also need to address
>> a subset of this same problem)
>>
> When honest clients come online, they will ignore the invalid commit. The
>> user that sent the invalid commit will either a.) keep sending messages to
>> the old epoch, or b.) start sending messages to a new epoch with a new
>> partition key. Because the honest clients ignored the commit, they will
>> never see/request the messages that went to the new partition key.
>> Repeatedly messaging an epoch after sending a Commit, or sending messages
>> to a partition key that nobody ever reads, should signal abuse to the
>> service provider.
>
> Maybe I need to step back a bit. You said the hub is responsible for
> message ordering. If the hub gets a series of commits moving to epoch 13,
> then to epoch 14, then to 13, then to 15, then to 14, does the hub send
> these in the order it received them, or does it assume a particular epoch
> is current until told otherwise?
>
> A hub will accept group messages from any RSP that knows the group ID.
>
>
> Is there no authentication required by the hub then? It sounds like the
> only DoS prevention from a compromised but previously honest LSP is rate
> limiting.
>
> Cheers,
> -rohan
>
>
> On Tue, Mar 26, 2024 at 6:58 PM Brendan McMillion <
> brendanmcmillion@gmail.com> wrote:
>
>> Responses inline,
>>
>> On Tue, Mar 26, 2024 at 1:32 PM Rohan Mahy <rohan.mahy@gmail.com> wrote:
>>
>>> Hi Brendan,
>>> Thanks very much for sharing this. This is generally the right level of
>>> detail and helps a lot for understanding where you are coming from.
>>>
>>> A few questions and reactions:
>>> - Could you please elaborate on the construction of the bearer tokens?
>>> If not done correctly, this can easily leak as much metadata as the design
>>> team proposal.
>>>
>>
>> In the current draft, KeyPackage requests contain both the requesting
>> user's and the target user's identity, and the request is proxied plaintext
>> through several providers. Everyone in the system can see "Alice wants to
>> talk to Bob." By making KeyPackage requests over OHTTP, only the RSP can
>> see "Someone wants to talk to Bob." The RSP might assign bearer tokens so
>> that it knows "Someone" is "Alice", but it also could not. The point is the
>> RSP has control over the anonymity set, and can define it in a way that
>> protects privacy + works with their abuse mitigation.
>>
>> The idea of authing with a bearer token that corresponds to an anonymity
>> set is a core part of how Sealed Sender works. Allowing users to /verify/
>> that they're in an anonymity set isn't required
>>
>>
>>> - How does the hub know when to stop sending messages to an RSP?
>>>
>>
>> If an RSP doesn't have any users that are asking for the messages for a
>> group, the RSP will simply stop pulling messages / revoke consent for push
>> requests. This is independent of the MLS state.
>>
>>
>>> - What happens if a hub forwards an invalid/unacceptable commit (not
>>> related to an unwanted Welcome) and all the other clients are offline? How
>>> does "rollback" work? (Note the current proposal will also need to address
>>> a subset of this same problem)
>>>
>>
>> When honest clients come online, they will ignore the invalid commit. The
>> user that sent the invalid commit will either a.) keep sending messages to
>> the old epoch, or b.) start sending messages to a new epoch with a new
>> partition key. Because the honest clients ignored the commit, they will
>> never see/request the messages that went to the new partition key.
>> Repeatedly messaging an epoch after sending a Commit, or sending messages
>> to a partition key that nobody ever reads, should signal abuse to the
>> service provider.
>>
>>
>>> - Are partition keys shared with any of the providers? If so, how do
>>> they use them? If not, what benefit do they provide?
>>>
>>
>> Users share a (group id, epoch, partition key) triplet with their LSP;
>> the LSP sends/requests messages from the hub based on this triplet. The
>> flow is unidirectional -- users only ever provide partition keys to their
>> LSP, the LSP only ever provides them to the hub. The hub uses the provided
>> partition key to gate which messages it provides back to the LSP, and the
>> LSP uses the partition key to gate which messages it provides back to the
>> user.
>>
>>
>>> - In the self Remove case, an external commit can ignore the proposal,
>>> leaving the client in the MLS group, unless it a) uses SelfRemove, b)
>>> continues to monitor the group for a Commit showing its removal, or c) uses
>>> an extension to insist that external commits include queued proposals.
>>>
>>
>> Yes, these are all valid approaches imo. You would just need an extension
>> point to make (a) or (c) implementable
>>
>>
>>> - Do you envision that handshakes on the hub are always either always
>>> private or always public for a single MLS group/MIMI room, or could they be
>>> a mix?
>>>
>>
>> My initial idea is that maybe clients could negotiate public/private
>> based on preferences expressed in a LeafNode extension. But the protocol
>> between service providers is neutral to this -- an unencrypted Commit +
>> GroupInfo is shuffled around the same as an encrypted Commit. Maybe you
>> would have some special compression for transmitting the ratchet tree
>>
>>
>>>
>>> Thanks,
>>> -rohan
>>>
>>>
>>>
>>> On Tue, Mar 26, 2024 at 12:14 PM Brendan McMillion <
>>> brendanmcmillion@gmail.com> wrote:
>>>
>>>> Hi Rohan
>>>>
>>>> Sure, here's a general approach that I think would meet mimi's goals
>>>> better:
>>>> https://gist.github.com/Bren2010/d009ba8d702ae3428b31981295455f02
>>>>
>>>> It's hard for me to see how the pseudonyms approach could possibly be
>>>> fruitful. If the reason for requiring PublicMessage is performance (i.e.
>>>> having clients upload a linear amount of encrypted data is too expensive
>>>> for them), how could a pseudonym scheme possibly authenticate a linear
>>>> number of members with sublinear data? Say that it is possible -- why
>>>> couldn't this same encryption scheme just be applied directly to the
>>>> ratchet tree, instead of adding a layer of indirection that risks voiding
>>>> the security of all of MLS?
>>>>
>>>> If the reason for requiring PublicMessage is to support policy
>>>> enforcement, then obviously we don't trust clients to do this themselves.
>>>> But if we don't trust clients, the approach of inspecting handshake
>>>> messages and trying to actively track the group state actually makes the
>>>> protocol more brittle and vulnerable to abuse. The hub server can't verify
>>>> group state, so a single malformed message can brick the group in
>>>> innumerable different ways and there's nothing that can be done to recover.
>>>> If the hub server was out of the way, instead of enforcing it's own idea of
>>>> who's in the group and which epoch is most recent, honest clients can
>>>> recover from malicious behavior in a straightforward way.
>>>>
>>>>
>>>> On Sun, Mar 24, 2024 at 3:11 PM Rohan Mahy <rohan.mahy@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Brendan,
>>>>>
>>>>> You characterized the state of the current draft as "freely" sharing a
>>>>> lot of metadata with all the providers. I'd like to examine that a bit more.
>>>>>
>>>>> Assuming each client follows the recommendation in the draft to use a
>>>>> unique pseudonym per group (this implies only joining via join/invitation
>>>>> links or knocks), the non-local providers know the following:
>>>>> - the authorization policy of the group (broadly),
>>>>> - how many MLS clients from each provider are in each group,
>>>>> - how often each client sends messages,
>>>>> - the authorization role(s) assigned to their anonymized users, and
>>>>> - (if they reveal it) if there are multiple devices under the same
>>>>> pseudonym.
>>>>>
>>>>> While a user's local provider (which the user has chosen) is sort of
>>>>> outside of the scope of MIMI, when it is a hub provider it will at least
>>>>> need to disclose machine-readable privacy information for each of its
>>>>> rooms. Each client gets to examine the room policy before they join and
>>>>> before they accept any change to that policy. This is already way better
>>>>> than the status quo. The metadata privacy extensions that Konrad and
>>>>> Raphael are working on further improve the privacy situation.
>>>>>
>>>>> If you think this is setting the privacy bar too low, I think it would
>>>>> be reasonable to provide an outline of how you think MIMI could provide
>>>>> similar functionality with even less metadata. IMO this doesn't need to be
>>>>> an I-D, but at least a page-long email with bullet points.
>>>>>
>>>>> Thanks,
>>>>> -rohan
>>>>>
>>>>> On Sat, Mar 23, 2024 at 3:45 PM Brendan McMillion <
>>>>> brendanmcmillion@gmail.com> wrote:
>>>>>
>>>>>> Providing the same privacy properties as Signal is incredibly
>>>>>> difficult. Nobody is asking mimi to do that. However, the mimi protocol
>>>>>> could be a neutral way for service providers to synchronize messages
>>>>>> related to a given group. Whether a service provider chooses to receive
>>>>>> messages in some exceptionally private way or not, would be the service
>>>>>> provider's choice. But instead the drafts require duplicating state between
>>>>>> the encryption layer and mimi layer, and this presupposes a certain
>>>>>> inescapable amount of metadata leakage.
>>>>>>
>>>>>> On Sun, Mar 24, 2024 at 1:49 AM Rohan Mahy <rohan.mahy@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Mar 23, 2024, 02:38 Stephen Farrell <
>>>>>>> stephen.farrell@cs.tcd.ie> wrote:
>>>>>>>
>>>>>>>> Sounds like a classic loss for privacy.
>>>>>>>>
>>>>>>>
>>>>>>> I argue it is the opposite. Today if you want to join a group chat
>>>>>>> on any system other than Signal, the participants surrender much more
>>>>>>> metadata than would be revealed to other providers under the proposed MIMI
>>>>>>> approach with pseudonyms. In addition, the low metadata approaches (using
>>>>>>> techniques such as privacy pass) that Konrad and Raphael are nurturing
>>>>>>> offer substantial improvements to privacy.
>>>>>>> If we publish a specification that requires all providers to provide
>>>>>>> at least Signal-level metadata privacy, it is likely that we will end up
>>>>>>> with neither interoperability nor privacy for the vast majority of users.
>>>>>>> Thanks,
>>>>>>> -rohan
>>>>>>>
>>>>>>>

v2.23.0 | Report a Bug | By Email