IETF Logo Mail Archive

Re: [Mimi] Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol

Brendan McMillion <brendanmcmillion@gmail.com> Tue, 26 March 2024 19:14 UTC

Return-Path: <brendanmcmillion@gmail.com>
X-Original-To: mimi@ietfa.amsl.com
Delivered-To: mimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A68F7C14CE44 for <mimi@ietfa.amsl.com>; Tue, 26 Mar 2024 12:14:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMAZwdx27O7j for <mimi@ietfa.amsl.com>; Tue, 26 Mar 2024 12:14:46 -0700 (PDT)
Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECC3AC14F6A0 for <mimi@ietf.org>; Tue, 26 Mar 2024 12:14:45 -0700 (PDT)
Received: by mail-ua1-x935.google.com with SMTP id a1e0cc1a2514c-7e05d6871ddso1648305241.1 for <mimi@ietf.org>; Tue, 26 Mar 2024 12:14:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711480485; x=1712085285; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ODTpTOW3Ch6SyGdSAa6R6lOLZWsZTaxtXt4TRwVXmOs=; b=bH/7NHqlMHEwIMaeQlKn8QFtTbV+4iNN6X3RtdhXBUP3Sn4thsWQATXyN+34Q8wcp9 8FVHUwQJAW/dH73g9PLdDnAOReAP0RNqgSi5hI5BpmtO7SvdAepqObKdFnlF0+sBFnZf 5roROrtAPR6IASGFdRvaYRKg5zWNFCDisOyny1qr7TH/UfzDqs5/WxDP73nIpwmw0td8 Sj3ZzoGHN4lrEgFJ4hkMZiIoaN+sEqgVH9dIFpcoDxdbzKDMAptfY5LEe3PX9cmDEsJS NpkxoQ1D4nvYfzvvW2wyW3vlndUr/x47hxRZxugRYXYLT1o+EtsdiiSQcpcHKKF7NJzK 1UUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711480485; x=1712085285; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ODTpTOW3Ch6SyGdSAa6R6lOLZWsZTaxtXt4TRwVXmOs=; b=R+R3oRSX+EXCgu659I6a5yrJ0DpUSJY2VLVatjA4Y8LK9mwoMBbgFqItN/JbUVSpIh ASV/3k661OS+lGJrVMRe7mv0UTgTw65E7+9PSBLzysgQ2GIrCfIs+HjDbz/YqBos/Ta1 TR/RklFmLN/hoctqX+OlF5Pxp6+Kfr7+NOTpJ+oVVcPpLgWX8jOrRAzo10IYynSh80tN uRkfVpa20hL6kvZFhrmXy5UfqHtk1fLzJ33GNJWsAUfl9YMpLXpRJ9Cm2OdlN+nBQdSK 6rqraxa0lu+5zNFSpwTH26vbjJw4vobcDVFMQrQSbuuEhvYP1flUy4HaD6QLWQZj/GYB zcug==
X-Forwarded-Encrypted: i=1; AJvYcCUir88IlQqXl+IjNh0/YjCisp3NVmisRE+cyYWQnWqC8JaEffiWIanUEKbWSH3Ok2BwyryPq2Rne9Y0uUxG
X-Gm-Message-State: AOJu0Yy7Jt5Ms4xWYWaszWwhrCg17k+ZhOaucFgQ4WV2KTCV2EuuMHau 4iHhoeoKIBmP5gcdoP7Ep0btKV9iw+Bez3yZIlv2Umkntpf4ud7/XYfGifBxHPyTpYyRDE0DAOz eNTJsn3n+uPyGLhUy8030x0LDr8w=
X-Google-Smtp-Source: AGHT+IH9HFFb/Pn/XqkrLQX5PbZsk9q7LAgAYjKTQFVxZsvfcCySE6dQGFJnbEIKcTqAoeAib6VbFvmkOwLHsmXvhmU=
X-Received: by 2002:a05:6102:2249:b0:472:5c3e:caf4 with SMTP id e9-20020a056102224900b004725c3ecaf4mr804746vsb.27.1711480484559; Tue, 26 Mar 2024 12:14:44 -0700 (PDT)
MIME-Version: 1.0
References: <8C305FF1-41E2-4E60-94CF-B15A5EEBFC03@cooperw.in> <CAKoiRuYse46M5TiCoCgMhuW=MZrAmfJf0KUkZGX20PJVUmM66Q@mail.gmail.com> <CANd9WG55weUzkDA5MjKxS8cEg=dAaqVOyEsVxEO7p0wA7J7yNw@mail.gmail.com> <CAMRcRGT_hqdO_AEg4oHgmN_sFrpQoPyxuU20Snt1S1Y5ym0qHA@mail.gmail.com> <CAJTd26JOvqpuakznGK5dqUEX2wW1FhvS==Zk+oZKvWgtq+cPFg@mail.gmail.com> <CAL02cgTd=5GCcLpKqB5=XgFq-geUuFrFW-2Cu84F7=3QLdTdLA@mail.gmail.com> <54e875bb-6a35-4879-b7f7-2a33da96b4b4@cs.tcd.ie> <CAKoiRubSCrRrAxDDmpLC8xUdzk3eNUOxBSz0ra6vi_qf95Jvcg@mail.gmail.com> <CAJTd26+pSCwjbQLAQyjMG73tDMPSwFTVt-ZaSOvDtokNXxZazw@mail.gmail.com> <CAKoiRuZ73o7aK8aX8WTArHujy_6EYaGoQqnWfzO_a1-ihrb0rw@mail.gmail.com>
In-Reply-To: <CAKoiRuZ73o7aK8aX8WTArHujy_6EYaGoQqnWfzO_a1-ihrb0rw@mail.gmail.com>
From: Brendan McMillion <brendanmcmillion@gmail.com>
Date: Tue, 26 Mar 2024 12:14:32 -0700
Message-ID: <CAJTd26+sZEAvMxk8uS2RJMk+ffFdCAYdgFnYq9Y7t9rJC2cuyA@mail.gmail.com>
To: Rohan Mahy <rohan.mahy@gmail.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Richard Barnes <rlb@ipv.sx>, Suhas Nandakumar <suhasietf@gmail.com>, Travis Ralston <travisr=40matrix.org@dmarc.ietf.org>, Alissa Cooper <alissa@cooperw.in>, mimi@ietf.org
Content-Type: multipart/alternative; boundary="00000000000052856c0614951a0c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mimi/vLD_zZPlpdRT-DfhL0sfzDF_A4E>
Subject: Re: [Mimi] Confirming adoption calls for draft-barnes-mimi-arch and draft-ralston-mimi-protocol
X-BeenThere: mimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: More Instant Messaging Interoperability <mimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mimi>, <mailto:mimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mimi/>
List-Post: <mailto:mimi@ietf.org>
List-Help: <mailto:mimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mimi>, <mailto:mimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2024 19:14:47 -0000

Hi Rohan

Sure, here's a general approach that I think would meet mimi's goals
better: https://gist.github.com/Bren2010/d009ba8d702ae3428b31981295455f02

It's hard for me to see how the pseudonyms approach could possibly be
fruitful. If the reason for requiring PublicMessage is performance (i.e.
having clients upload a linear amount of encrypted data is too expensive
for them), how could a pseudonym scheme possibly authenticate a linear
number of members with sublinear data? Say that it is possible -- why
couldn't this same encryption scheme just be applied directly to the
ratchet tree, instead of adding a layer of indirection that risks voiding
the security of all of MLS?

If the reason for requiring PublicMessage is to support policy enforcement,
then obviously we don't trust clients to do this themselves. But if we
don't trust clients, the approach of inspecting handshake messages and
trying to actively track the group state actually makes the protocol more
brittle and vulnerable to abuse. The hub server can't verify group state,
so a single malformed message can brick the group in innumerable different
ways and there's nothing that can be done to recover. If the hub server was
out of the way, instead of enforcing it's own idea of who's in the group
and which epoch is most recent, honest clients can recover from malicious
behavior in a straightforward way.


On Sun, Mar 24, 2024 at 3:11 PM Rohan Mahy <rohan.mahy@gmail.com> wrote:

> Hi Brendan,
>
> You characterized the state of the current draft as "freely" sharing a lot
> of metadata with all the providers. I'd like to examine that a bit more.
>
> Assuming each client follows the recommendation in the draft to use a
> unique pseudonym per group (this implies only joining via join/invitation
> links or knocks), the non-local providers know the following:
> - the authorization policy of the group (broadly),
> - how many MLS clients from each provider are in each group,
> - how often each client sends messages,
> - the authorization role(s) assigned to their anonymized users, and
> - (if they reveal it) if there are multiple devices under the same
> pseudonym.
>
> While a user's local provider (which the user has chosen) is sort of
> outside of the scope of MIMI, when it is a hub provider it will at least
> need to disclose machine-readable privacy information for each of its
> rooms. Each client gets to examine the room policy before they join and
> before they accept any change to that policy. This is already way better
> than the status quo. The metadata privacy extensions that Konrad and
> Raphael are working on further improve the privacy situation.
>
> If you think this is setting the privacy bar too low, I think it would be
> reasonable to provide an outline of how you think MIMI could provide
> similar functionality with even less metadata. IMO this doesn't need to be
> an I-D, but at least a page-long email with bullet points.
>
> Thanks,
> -rohan
>
> On Sat, Mar 23, 2024 at 3:45 PM Brendan McMillion <
> brendanmcmillion@gmail.com> wrote:
>
>> Providing the same privacy properties as Signal is incredibly difficult.
>> Nobody is asking mimi to do that. However, the mimi protocol could be a
>> neutral way for service providers to synchronize messages related to a
>> given group. Whether a service provider chooses to receive messages in some
>> exceptionally private way or not, would be the service provider's choice.
>> But instead the drafts require duplicating state between the encryption
>> layer and mimi layer, and this presupposes a certain inescapable amount of
>> metadata leakage.
>>
>> On Sun, Mar 24, 2024 at 1:49 AM Rohan Mahy <rohan.mahy@gmail.com> wrote:
>>
>>>
>>>
>>> On Sat, Mar 23, 2024, 02:38 Stephen Farrell <stephen.farrell@cs.tcd.ie>
>>> wrote:
>>>
>>>> Sounds like a classic loss for privacy.
>>>>
>>>
>>> I argue it is the opposite. Today if you want to join a group chat on
>>> any system other than Signal, the participants surrender much more metadata
>>> than would be revealed to other providers under the proposed MIMI approach
>>> with pseudonyms. In addition, the low metadata approaches (using techniques
>>> such as privacy pass) that Konrad and Raphael are nurturing offer
>>> substantial improvements to privacy.
>>> If we publish a specification that requires all providers to provide at
>>> least Signal-level metadata privacy, it is likely that we will end up with
>>> neither interoperability nor privacy for the vast majority of users.
>>> Thanks,
>>> -rohan
>>>
>>>

v2.23.0 | Report a Bug | By Email