►
From YouTube: IETF-MIMI-20230607-1600
Description
MIMI meeting session at IETF
2023/06/07 1600
https://datatracker.ietf.org/meeting//proceedings/
A
A
C
A
Odd
there
we
go
so
as
usual.
Please
note!
Well
the
ietf
note
well
and
all
the
policies
and
then
let's
get
into
today's
agenda.
So
the
only
thing
formally
on
the
agenda
is
that
Travis
is
going
to
spend
some
time
explaining
linearized
Matrix
to
us
and
we'll
have
some
questions
after
that
and
then,
after
that,
nothing
else
formally
on
the
agenda.
So
anything
anybody
wants
to
discuss
can
be
brought
up.
A
D
D
A
E
D
A
D
D
It
removes
all
the
dependence
off
of
specdomatrix.org
and
these
slides
are
kind
of
split
into
two
parts,
the
first
part
being
what
linearized
Matrix
is
just
as
a
sort
of
recap
for
people
who
might
not
have
seen
the
the
draft
and
then
the
other
half
being
a
question
around
Channel
State
and
whether
it
should
be
client-side
or
server
side,
but
yeah
if
I
can
get
the
next
slide.
Please.
E
D
The
participant
servers,
kind
of
just
hold
users
and
procs
everything
to
the
hub
server,
linearized
Matrix
rooms
are
what
hold
events,
events,
meaning
pretty
much
anything
to
do
with
the
room
itself.
So
that
could
be
a
text
message.
It
could
be
an
image,
it
could
be
a
membership
change.
It
could
be
the
the
room
name,
changing
itself,
that
sort
of
stuff.
We
call
events
over
the
wire,
pdus
or
persistent
data
units.
It's
just
a
slight
distinction.
E
D
Yep,
all
of
them
behavior
for
a
room,
is
defined
by
the
room
version
or
on
that
in
a
second
users
are
what
send
events
they
can
have
zero
more
devices.
Devices
are
effectively
what
MLS
would
call
a
key
or
a
device
in
the
group
versions
are
somewhat
complicated
in
Matrix
and
honestly
they're.
Just
not
well
named
the
rough
ideas
that
all
the
ACLS
all
of
the
behaviors
algorithms,
all
that
sort
of
stuff
that
actually
runs
the
room,
is
defined
by
a
single
room
version.
A
D
A
room
version
is
identified
by
a
string
with
that
room
version.
You
end
up
with
everything
you
need
for
how
power
levels
work,
how
messages
are
accepted
or
events
are
accepted,
all
that
all
that
stuff
is
defined
by
the
room
version,
but
it
doesn't
necessarily
need
to
be
server-side.
It
can
be
run
on
either
area.
B
Yeah
I
I
found
this
this
terminology
a
little
bit
confusing
when
I
was
reading
it
would
you
I
feel
like
I
understand
it
now,
but
would
you
would
you
feel,
like
it'd,
be
a
good
characterization
that
this
is
like
that
this
is
basically
a
capabilities
negotiation
that
the
room
version
is
just
like.
As
you
add
new
capabilities
you
you
create
a
new
version
string
and
people
can
can
coalesce
on
a
specific
set
of
capabilities
that
are
associated
with
that
quote-unquote.
Reversion
string.
E
D
Because
yeah,
like
they're
Frozen,
Once
defined
by
a
spec
process
of
some
kind
so
like
it's
not
like,
you
can
just
change
how
how
rooms
work
and
so
yeah
everybody
needs
to
support
that
version.
You
would
also
know
well
in
advance
whether
or
not
you
can
even
join
that
room,
because
the
room
version
would
be
told
to
you
as
a
server
or
as
a
client,
depending
on
where
we
put
it
so
like
you
wouldn't
be
able
to
actually
join
or
anything
like
that.
E
F
F
I'm
just
wondering,
because
about
there
being
like
a
baseline
version,
that
everybody
supports,
because
I
think
that,
like
what
you
just
spoke
about
this
like
finding
out
that
there's
a
room
that
you
can't
join
for
for
the
sake
of
interop,
is
there
a
value
in
having
like
the
the
simple
version?
And
this
is
the
thing
that
ever
that
every
implementation
would
be
supporting,
and
then
you
can
like
do
other
things.
D
Yeah,
so
the
intended
purpose
of
linearize
Matrix
the
waste
in
the
draft
is
actually
specify
sort
of
like
the
first
room
version.
I
think
it
calls
it
like
I
dot,
one
for
no
particular
reason
bail
like
it
would
have
all
of
the
the
semantics
all
the
behaviors.
So
that
way,
everybody
at
least
has
something
to
go
off
of
in
practice.
You
can
Define
sort
of
custom
room
versions,
but
the
reality
is,
nobody
actually
does.
G
F
C
D
D
E
D
See
if
this
will
be
the
same
diagram
that
people
have
seen
before
in
many
different
shapes,
just
as
a
slightly
different
shape,
you
have
a
central
provider
provider.
A
in
this
case
is
the
Hub
provider
B
The
Gatekeepers,
and
the
existing
dag,
capable
Matrix
are
all
participant
servers.
In
this
example,
the
green
things
are
clients
or
devices,
depending
on
how
you.
H
E
D
C
D
C
D
D
Yep
next
slide,
please
so
yeah
everything
in
Matrix
and
linearize
Matrix
is
sent
as
an
event.
There
are
two
kinds
of
events,
State
events
and
room
events,
but
yeah.
The
the
rough
idea
for
a
state
event
is
that
it
tracks
sort
of
meditative
for
the
room,
user
membership,
name,
join
rules,
power
levels
that
sort
of
stuff
they
are
keyed
by
an
event
type
and
state
key
Tuple,
and
they
override
each
other.
D
Where
current
stage
is
just
the
most
recent
one
that
was
sent
as
defined
by
the
append
Only
log
sort
of
idea,
we
don't
use
a
dedicated
event
ID.
The
event
ID
is
just
the
reference
hash
of
the
event
itself.
This
protects
against
basically
malicious
actors,
primarily
if
you
use
a
uuid
or
a
namespace
or
something
to
that
effect.
A
D
G
Okay,
now
yep
sorry
yeah,
so
maybe
I'm
jumping
ahead
a
bit,
but-
and
maybe
we
talk
about
this
later
so
if
we
will
then
please
just
interrupt
me
is
it
is
this?
Does
this
mean
that
events
are
broadcast
to
all
servers
so,
for
example,
changes
in
room
membership
or
that
rumors
membership,
for
example,
generally,
is
tracked
by
all
participating
servers
or
hubs.
D
D
Yeah,
so
just
so
that
way,
we're
kind
of
all
on
the
sort
of
same
page,
because,
like
a
lot
of
this
stuff,
was
discussed
two
interns
ago
and
there
were
some
I
guess,
disagreement
around
ACLs
and
what
that
might
have
actually
meant.
So
for
the
purposes
of
this
sort
of
deck,
the
a
cells
are
what
the
room
version
defines.
B
C
D
Auth
rules
basically
to
find
what
is
like
it
upon
receipt
of
an
event.
What
are
the
conditions
required
to
accept
it?
Power
levels
is
how
Matrix
Maps
permissions
and
roles
and
that
sort
of
stuff,
so
power
levels
is
a
relatively
large
State
event
that
has
basically
a
string
key
to
a
integer
value
and
basically
the
higher.
D
Speaking
100
is
usually
an
admin.
50
is
usually
a
moderator
and
then
everybody
else
is
zero,
but
you
can
also
go
anywhere
within
the
n32
maximum
range.
If
you
really
wanted
to
so
like
the
rough
idea.
Is
that
like
to
ban
you
need
a
power
level
of
50,
which
means
anybody
who
has
yeah
50
or
greater
can
bam
that
sort
of
stuff.
C
Right
so
so,
I
think
what
I'm
asking
is:
where
do
those
sort
of
rules
get
encoded
like
that?
That
map
you
just
said
where
you
need
a
power
level
of
50
to
be
able
to
Beta
like
where
does
where
does
that
live?
Is
that
a
fixed
property
of
the
room
version,
or
is
that
written
down
somewhere
I
download
that,
in
terms
of
time,.
D
D
C
C
B
D
C
D
I
I'm
still
a
little
puzzled,
so
is.
Let
me
try
to
restate
what
I
thought
I
heard,
and
you
could
tell
me
if
I'm
wrong
enough,
so
why
that
the
specific
set
of
activities
that
one
is
able
to
do
is
defined
by
the
room
version,
but
the
the
levels
that
are
required
to
do
those
roles
is
defined
by
some
configuration.
D
I
D
Yeah
so
like
when
you
send
a
new
event,
like
let's
say
you
are
trying
to
ban
somebody
that
requires
sending
an
event.
The
actual
ban
event
gets
sent
over
the
wire
gets
received
by
a
server
somewhere.
That
could
be
the
Hub
server.
It
could
be
a
participant
server,
that's
going
above
and
beyond,
and
so
once
it
receives
that
event,
it
goes
yes.
This
looks
like
a
ban.
D
B
D
E
D
I
D
E
D
State
is
the
sort
of
term
taken
by
Eric
slides
number
14
if
you're
interested
back
about
a
month
ago.
So
traditionally,
Matrix
and
linearized
Matrix
handles
this
sort
of
Channel
State
server
side.
We
call
it
room
state
and
then
we
would
try
and
keep
the
MLS
group
in
sync
through
rules
defined
on
the
clients.
D
D
Within
reason,
yeah
like
there
would
be
some
sort
of
semantics
that
would
say
like
hey.
When
you
see
Alice
create
a
new
device,
they
would
be
somehow
involved
in
the
MLS
group,
whether
that's
an
external,
join
or
something
similar.
To
that
same
thing
for
like
when
Alice
loses
the
device
that
would
have
to
be
resolved
somehow,
and
so
like.
That's,
where
the
the
sort
of
servers
being
able
to
inject
devices
into
the
into
the
group
becomes
a
bit
of
a
problem.
G
Okay,
but
then
sorry,
then
I
have
a
follow-up
question.
It's
not
clear
to
me
what
you
mean
by
cross
signing
I
mean
because
of
MLS
every
client
knows
like
who
is
in
the
group
right,
so
the
server
can,
in
theory,
eject
like
quote-unquote
inject
a
malicious
device
into
the
group,
but
all
clients
will
know
at
all
times
to
which
devices
they
will
encrypt
and
they
will
know
that
all
other
clients
know
as
well
right.
F
B
I
But,
like
you
know,
hypothetically,
it's
like
you
know,
cificus
plus
KT,
then
then
the
server
then
the
server
the
server
should
not
be
able
to
mount
this
attack
because
because
they
can't
you,
because
they
can't
authenticate
the
user,
so
I
don't
think
that
needs
cross-siding.
Anything
is
ordinary
Authentication.
I
We
probably
do
need
some
way
for
to
have
groups
that
have
a
policy
that
only
only
members
to
add
people,
but
we
also
need
some
way
to
have
the
policy
that
that
that
the
server
can
add
people
and
I
think
so.
I
think
that,
but
and
the
former
course
in
the
asset
control
in
terms
of
what
you're
Crossing
by
would
just
call
signing,
which
is
to
say
signing
the
manifestive
users
were
allowed
to
be
in
the
group.
I
The
hardest
part,
however,
is
kicking
which
the
server
can't
do,
because
it's
not
part
of
the
group,
and
so
someone
will
have
to
I
mean
what
the
server
can
do
is
change
the
room
roster,
but
what
it
can't
do
is
actually,
if
it's
someone
from
the
MLS
group,
and
so
that
requires
someone
in
the
ls
group
to
do
the
eviction
as
I
understand.
That's.
C
C
H
D
C
I
So
I
think
I
think
that
the
new
technical
mechanism
is
actually
required.
Here
is
the
mechanism
I
mean
so
I
mean
it
seems
to
me
that
the
the
logic
that
the
MLS
implementation
on
organization
group
participants
has
to
be
is
when
a
new
when,
when
a
new
person
is
there
needs
to
be
like
the
cause
of
a
room.
Roster
I
mean
a
new
person
to
join
the
group.
They
examine
the
identity
and
compare
it
against
a
roster.
If
that's
and
if
that's
permitted,
then
you
accept
the
astral
joint.
I
E
G
Sorry
I'll
have
to
do
that
manually.
I'll
figure
it
out
in
between
anyway,
so
since
we're
discussing
membership
and
MLS
is
essentially
already
tracking
membership.
This
kind
of
leads
me
to
another
question:
are
you
considering
MLS
messages
and
like
public
messages
or
private
messages
so
like
encrypted
MLS
messages
or
plain
text
like
handshake
messages,
at
least.
G
Like
sorry,
maybe
let
me
explain
real
quick,
so
in
MLS
you
can
messages
and
especially
handshake
messages
can
either
be
sent
encrypted
or
unencrypted,
and
if
it's
unencrypted,
it
obviously
leaks
everything.
That's
inside
the
message,
but
that's
not
necessarily
kind
of
users
and
data,
that's
more
concerning
the
group
state,
so
that
would
be
adding
removing
and
these
kind
of
things
handshake
data
and
you
can
send
them
encrypted
so
that
it
all
it
leaks
to
the
servers.
The
I
think
the
group
ID
the
content
of
the
message.
G
So
if
it's
a
sorry
the
content
type
of
the
message,
so
if
it's
a
proposal
or
a
commit
and
the
current
Epoch
or
something
and
so
I
guess
what
I'm
trying
to
say
is
that
the
server
can
easily
kind
of
just
track
the
MLS
membership.
If
we
use
plain
text,
handshake
messages,
so
sorry
public,
handshake
messages
and
then
can
the
server
can
also
control
can
also
check.
If
it
wants
a
kick
a
member,
it
can
also
check
if
the
next
message
is
a
commit.
E
D
D
I
guess
like
we
fall
on
those
sorts
of
rules
for
adding
or
removing
devices
from
the
MS
group.
If
we
require
that
the
server
you
know
require
or
needs
to
see
that
the
proposal
is
accepted,
then
yeah
we
probably
need
to
be
plain
text,
but
if
we
can
come
up
with
something
I
guess
reliable,
where
you
know
the
server
doesn't
need
to
see
that
information
and
doesn't
really
care
about
that
information.
E
C
G
Okay,
so
Richard,
can
you
maybe
elaborate
on
why
you
think
we
should
do
this?
So
sorry
and
I
want
to
kind
of
motivate
this.
This
question
before
you,
you
respond
because
we
try
to
look
at
both
and
when
we
started
out
with
encrypted
handshake
messages.
Obviously,
with
the
idea
of
you
know
protecting
as
much
as
possible
from
the
eyes
of
the
server
we
afterwards
figure,
like
noticed
ourselves,
kind
of
building
all
the
stuff
that
we
wanted
to
to
have
on
the
server
kind
of
building
it
outside
of
MLS.
G
Again-
and
you
know
you
have
a
notion
of
user
sorry,
you,
you
have
a
notion
of
members
and
the
members
somehow
have
to
authenticate
to
the
server
that
they're
part
of
the
group,
etc,
etc,
and
so,
in
the
end,
what
we,
what
we
ended
up
doing
in
our
like
delivery
service
proposal,
is
decided
on
just
doing
plain
text
messages
and
kind
of
obfuscating.
The
metadata
by
you
know
using
pseudonyms
and
that
kind
of
stuff.
So
yeah
I'd
be
curious
to
just
to
see
here
what
why
you
think
this
should
be
regard.
C
E
C
As
as
you
know,
you
might
imagine
a
naive
reader
once
you
know,
I
should
be
using
stronger
security
settings
everywhere
and
justifying
when
we
know
who's
the
strongest,
so
I
think
mainly
what
I'm
saying
is
like.
If
we
decide
to
go
yeah
to
adopt
a
position
that
you
know,
MLS
messages
need
not
be
encrypted
or
must
not
be
encrypted.
It
might
be
a
possibility.
C
G
Sure
I
mean
we
can
see
and
go
ahead.
How
far
we
get
one.
One
thing
that
we
noticed
is
what
we
very
likely
want
on
the
server
and
some
as
much
kind
of
as
in
terms
of
message:
verification
as
possible,
because,
especially
in
a
Federated
environment,
you're,
otherwise,
really
quickly
get
messages
that
you
know,
Fork
a
group
or
you
know
otherwise
send
garbage,
make
the
server
increment
to
Epoch,
and
you
have
to
roll
it
back
Etc,
so
that
kind
of
stuff.
E
G
D
D
The
rough
idea
is
that
basically,
your
epochs
become
a
small,
dag
associated
with
each
device,
and
then
you
run
a
conflict
resolution
on
them,
and
so
it
allows
you
to
have
those
divergences
in
in
MLS
stage
and
group
and
that
sort
of
stuff
without
having
to
make
the
server
aware
of
it.
So
you
would
still
be
able
to
encrypt
a
lot
of
that
stuff,
but
that's
not
necessarily
described
in
the
in
the
draft
at
the
moment.
I
think
it's
referenced,
but
not
not
actually
written
down.
D
Once
twice
three
times
all
right
next
slide,
please
client
slide
is
the
pretty
much
the
complete
opposite
of
this.
So
servers
pretty
much
just
check
to
make
sure
that
the
actual
syntax
of
an
event
is
okay
or
as
much
as
of
it
that
it
can
see
because,
like
these
would
be
all
encrypted
payloads,
you
know
everything
is
run
within
MLS
the
act
of
accepting
rejecting
events,
adding
removing
users
which
would
probably
change
the
membership
model
to
be
per
device
rather
than
per
user.
D
B
D
It
can't
necessarily
trust
and
a
random
client
on
its
or
as
part
of
the
sort
of
membership
to
just
say
that
you
know
this
was
accepted
because
there
could
be
another
device
that
says
that
it
doesn't,
and
then
you
have
that
sort
of
problem
going
on
there.
So,
ultimately
you
just
let
it
happen
within
MLS.
Everybody
knows
again
with
the
MLS
group
that
you
know
we're
using
this
room
version,
which
means
we're
using
these
ACLS,
which
means
you
can
accept
and
reject
different
proposals
and
commits
that
way.
Richard.
C
Yeah
sorry
I
just
had
a
little
bit
of
a
meta
question
here
in
that
I
I
may
have
missed
like.
Why
are
we
talking
about
server
side
versus
client-side
group
models,
like
my
my
impression
was
The
Matrix.
The
way
it
runs
today
is
all
basically
called
the
status
maintained
on
servers
and
clients
are
very
similarly,
so
are
you
proposing
kind
of
departing
from
that
model
and
building
a
new
model
where
more
state
is
kept?
The
client-side,
which
I
guess
would
mean
a
participants
servers.
It
would
just
be
routers.
D
So
this
is
falling
back
to
yeah,
like
the
conversation
at
a
couple
interns
ago,
where
pretty
much
the
question
of
just
like.
Should
it
be
server
side
or
client-side
was
raised,
but
there
didn't
seem
to
be
an
answer
so
linearized
Matrix
can
do
either,
and
so
this
is
realistically
the
the
sort
of
question
of
which
do
we
want
to
do
as
a
working
group,
which
is
clarified
on
the
on
the
sort
of
next
slide
but
like
covering
like
the
server
side
and
client-side
individual
pieces
is,
is
important.
I
think.
B
Yeah
so
I
wanted
to
comment
on
one
thing
in
your
slide
up
that
servers
don't
know
what
was
accepted
or
rejected.
So
that's
only
true.
If
the
commits
are
a
private
message,
if
the
commits
are
private
message,
then
it
seems
unlikely
that
that
we
would
be
able
to
do
external
joints,
which
we
were,
which
it
sounds
like
from
previous
discussions
that
we're
going
to
require
so
I
I,
don't
know
anybody
who
is
doing
a
serious
implementation
of
MLS.
B
D
Yeah,
there
are
definitely
aspects
that
MLS
can't
necessarily
handle
the
client
sites
are
remodel,
does
aim
to
use
private
messages
as
much
as
possible,
if
not
exclusively
where
it
can.
But
there
are
obviously
the
sort
of
edge
cases
of
eventually
you're
going
to
need
to
kick
a
device.
You
will
need
to
add
a
device
that
sort
of
stuff.
E
E
B
G
Yeah
I
won
a
second
run
on
this.
I
also
think
we
want
to
do
a
public
message.
It
lends
you
essentially
a
bit
between
the
server
and
the
client-side
role
model,
where
you
get
the
advantages
of
the
of
both.
Essentially
so
the
server
can
do
all
the
checks
and
do
tracking
and
can
support
external
joins
can
keep
the
you
know
kind
of
clients
joining
by
having
them
download
the
because
it
tracks
the
registry,
essentially
like
allowing
clients
to
avoid
uploading,
the
whole
group
State
again
and
again
and
so
yeah.
B
C
C
D
F
I
I
I,
think
my
position
on
Twitter,
if
we
bound
was
clear
and
I
think
it'd
probably
be
useful
to
like
actually
try
to
talk
about
a
little
bit
about
what
threats
were
always
tolerated
for
the
surfer
and
which
ones
were
not
rather
than
just
sort
of
like
you
know.
You
know
we
were
talking
about
implementation
details
but,
like
the
relevant
question
is
what
is
it
we?
What
is
it
where
we
wish
that
are
designed
to
provide
in
terms
of
security
against
the
server
and
well
I?
I
I
Do
not,
however,
think
it
needs
to,
or
are
these
it's
practical
at
the
moment,
to
conceal
the
group
structure
from
the
youth
from
the
server
or
or
to
you
know
you
know,
perhaps
you
know
conceal
other
things
like
that,
but
I
do
think.
If
you
look
at
it
for
the
president
I
just
indicated.
That
does
tell
you,
for
instance,
that
that
the
server
may
or
may
not
be
able
to
modify
the
the
accident
the
configuration,
because
if
the
cervical
monthly
configuration
they
can,
they
can.
I
Basically
you
know,
change
the
permissions.
So
if
you
think
that
the
room
has
to
be
cryptographically
protected
the
membership,
then
probably
the
configuration
has
to
be
as
well
so
so
I
think
again,
like
I,
think
the
most
useful,
rather
than
discussing
the
precise
details
of
like
how
women
perform
things
to
discuss,
what
we're
trying
to
achieve
in
terms
of
production
as
a
circle.
E
D
But
yeah
to
Eric's
Point
like
having
a
lot
of
the
stuff
server-side.
Obviously
they
can
just
create
events
and
create
configuration.
Then
that
is
a
problem
when
you
want
cryptographic,
proof
that
the
change
can
happen
or
has
happened,
which
I
think
is
just
basically
saying
that
we
do
want
that
cryptographic.
Proof
Tim,.
A
Yes,
so
one
thing
I
I'd
always
try
to
keep
in
mind
me-
is
that,
like
the
objective
here,
is
to
get
a
number
of
existing
systems
to
Gatekeepers,
to
talk
to
each
other,
so
I
wonder
like
what
are
actually
the
existing
capabilities
of
these
systems.
My
understanding
is
that
for
a
number
of
the
systems
that
are,
you
know
that
we'd
like
to
see
in
drop
rate
via
Mimi.
E
A
B
So
Tim
I
wasn't
really
clear
whether
you
meant
there
are
there.
There
are
features
like
the
ability
to
go
and
add
new
users
that
are,
in
you
know,
example,
gatekeeper,
A
and
B,
like
you
know
like
WhatsApp,
can
do
that
right
and
does
this
allow
for
that?
Or
was
your
question
if
you
allow
people
to
add
users
to
a
conversation?
G
G
Right
comes
back
to
the
discussion
we
had
on
metadata
last
time
to
where
we
have
to
you
know,
work
out
a
threat
model
and
figure
out
which
of
these
yeah
security
or
metadata
requirements.
We
want
to
meet
and
I
mean
we
should
do
that
separately,
but
I
think
these
discussions
on
different
approaches
to
you
know
running
a
server
at
least
kind
of
gets
us
closer
to
to
what
we
want.
So
I
think
this
is
It's
a
good
discussion
to
have
for
sure.
B
I
You
know
you
know
what
those
things
are,
and
you
know
whether
we
need
to
leave
extensions
for
them
or
actually
deal
with
them,
but
have
opt-outs
or
whatever,
but
I
think
you
know,
I
I
wouldn't
want
I,
wouldn't
want
the
system
resigned
to
be,
like
the
you
know,
the
the
minimum
of
all
possible
known
existing
systems,
but
rather
to
be
at
least
compatible
with
the
best.
We
know
how
to
do
while
also
supporting
the
Positioning
Systems,
if
necessary,.
E
E
F
This
gatekeeper
comparison
that
he
had
promised
to
deliver
and
I
think
now.
People
can
look
at
it
and
take
take
some
time
with
it.
But
I
think
we
should
come
back
around
on
this
in
a
future
interim
and
on
the
list
as
people
kind
of
digest
this,
because
we
can
also
use
this
to
try
to
synthesize
like
what
the
actual
superset
of
the
existing
gatekeeper
functionality
is
that
we
we
think
we
want
to
support.
E
D
F
D
Yeah,
that
would
be
very,
very
helpful,
particularly
from
from
my
side
of
trying
to
build
something
that
meets
the
unknown
requirements.
It
does
sound
like,
though,
that
yeah
so
like
we
have
the
rough
consensus
that
something
server-side,
possibly
with
public
MLS
messages,
is
the
the
rough
Target
I
guess:
cryptographically
bound
I,
guess
state
in
general,
not
just
membership.
D
E
A
I
Yeah
I
just
I'm,
sorry,
I
missed
the
beginning,
so
I
don't
know
how
the
chairs
teeth
this
up,
but
I
think
you
know
as
I
understand
it.
We
have
not
yet
decided
on
a
starting
point
for
this
for
this
place
of
the
protocol
and
so
I
think.
Probably
the
the
focus
of
this
discussion
should
be
not
necessarily
answering
questions
about
how
open
your
eyes
man
turns
out
to
look
but
determining
whether
the
linear's
Matrix
is
a
suitable
foundation
for
the
beginning
of
of
the
workers.
I
D
I
I
I
guess
what
might
be
helpful
would
be
you
know
you
know
and
obviously
I'm
asking
you
to
really
argue
against
interest
here.
But,
like
you
know,
what
are
the
challenges
you
see?
You
know,
starting
from
the
United
Matrix,
that
we
have
to
resolve
that
like
profit,
but
I
might
not
be,
might
not
be
the
case.
If
it's
another
protocol
you
know
and
what
are
the?
I
What
do
you
think,
like
you
know,
I
think
I,
guess
I
guess
I
guess
advantages
are
pretty
clear
which
is
like
starting
from
like
something.
We
already
know
that
already
exists
and
works,
but
I
guess
are
there
other
other
advantages
of
of
this
design?
You
know,
as
opposed
to
some
of
the
other
designs.
We've
seen
floated
what
those
advantages
might
be.
D
I
mean
like
that's
the
that's
the
fundamental
Wellness.
It
already
exists,
like
the
the
draft
is
extracted
from
the
existing
Matrix
spec,
so
it
already
functions
in
that.
In
that
respect,
the
other
sorts
of
benefits
are
like
it
honestly
just
comes
down
to
just
its
existence
for
a
while,
like
the
the
author
rules
have
been
narrowed
down
quite
a
lot,
but
I
guess
speaking
to
disadvantages,
it's
the
stuff
that
we
already
kind
of
talked
about
where,
because
it's
a
server-side
model
in
Matrix,
because
Matrix
has
its
own
encryption
existing
already.
D
A
lot
of
these
problems
are
fixed
at
that
level,
rather
than
at
the
sort
of
Transport
or
superset
Communications
layer.
You
know
with
with
introducing
MLS
to
the
stock.
We
have
the
issues
where
servers
could
theoretically
inject
devices,
which
we
obviously
don't
want
so
trying
to
come
up
with
those
rules
is,
is
sort
of
Greenfield
new
tech
that
needs
to
be
decided
on
where
the
the
existing
sort
of
Matrix
spec
using
a
not
MLS.
H
D
I
I
That's
all
I
guess
because
I'm
sure
trying
to
get
out
is
like
you
know,
I
definitely
like
you
know,
I
think
it's
a
lot
of
me
right
and
like
this
has
already
been
done
like
it
works
but,
like
you
know,
but
like
obviously
in
anything
anything
like
I,
guess
anything
made
anything
else.
So
I'm
wondering
are
there
like
if
you
like,
look
at
Jeff,
Rosenberg
and
I.
D
That
sort
of
side
of
things
is
is
look,
I,
think
we're
like
ours.
Matrix
yeah
definitely
has
some
sort
of
standing.
The
existing
proposals,
architecturally
or
all,
are
all
pretty
much.
The
same
I
think
we
discussed
that
at
the
the
last
interim,
where
it's
all
of
them
have
some
sort
of
central
server
that
deals
with
the
fan
out
for
the
other
servers
and
the
other
servers
just
kind
of
send
it
through
that
and
on
a
roughly
per
conversation
or
per
room
basis.
D
The
participant
servers
kind
of
exist,
something
for
the
the
later
requirements
would
be.
Do
we
want
to
be
able
to
move
that
Hub
to
a
different
server
like
let's
say
provider,
a
just
has
no
interest
in
running
the
room
anymore,
but
provider
B
does
have
an
interest.
You
know.
Is
there
sort
of
Merit
in
having
having
that
be
transferable
state
of
some
kind.
H
And
that's
why
planting
the
existing
decentralization
stuff
in
Matrix
means
that
moving
the
Hub
around
could
be
much
easier
because
you
could
use
the
basically
a
subset
of
the
proof,
logic
that
is
used
for
the
full
fat
decentralized
Matrix
in
the
context
of
linearized
Matrix.
In
order
to
securely
hand
over
a
hub
from
A
to
B
I
think
there
was
also
a
difference
on
MTP
in
terms
of
mutability
of
events
or
messages
that
I
seem
to
remember.
H
The
jury
was
out
on
whether
the
message
contents
was
immutable
or
not,
whereas
a
matrix
would
have
gone
deep
down,
the
immutability
rabbit
hole
and
it's
worked
out
quite
well,
albeit
with
things
like
redactions
being
or
sorry
deletions,
being
append
only
messages
that
you
put
into
the
log,
which
then
go
and
preserve
the
Integrity
of
the
previous
messages.
By
only
deleting
the
human.
G
G
Thought
I
had
a
solution,
but
apparently
it
doesn't
work
anyway,
yeah,
so
to
jump
in
here.
The
so
last
I
looked
at
the
combination
between
Matrix
and
MLS,
like
one
of
the
issues,
was
matrix's
the
functionality
of
essentially
supporting
longer
term
net
splits.
So
is
there?
How
does
this
relate
to
the
linearized
version?
So
do
people
have
to
keep
key
material
around
to
essentially
potentially
recover
from
an
expert
that
they
might
or
might
not
know
about?
This
is
something
that
that
is
still
present
in
linearized
Matrix.
D
Matrix
because
everything
runs
through
a
hub,
rather
than
being
a
full
mesh
transport,
you
end
up
having
the
situation
where,
basically
that,
as
long
as
the
Hub
is
online,
you
should
be
able
to
send
information
between
other
servers
and
it's
less
important.
If
the
participant
server
doesn't
receive
things
because
the
Hub
can
theoretically
say
Hey,
you
haven't
received
anything,
you
can't
produce
anything
until
you
receive
all
this
stuff,
but
equally,
if
the
hub
goes
down,
nobody
can
chat
anywhere
because
there's
nowhere
for
the
the
conversation
to
go.
H
E
H
Some
devices
get
added
on
the
far
side
of
the
partition,
then
obviously
you're
not
going
to
encrypt
for
them
at
the
time,
because
you
don't
know
that
they
exist,
and
so
you
would
have
to
go
and
re-encrypt
and
effectively
exfiltrate
the
information
out
to
them,
which,
as
a
whole,
set
of
obvious
trust
and
problems
associated
with
it.
So
what
we're
actually
switching
to,
particularly
in
the
very
latest
generation
of
Matrix
clients,
is
to
just
disable
what
were
the
key
gossiping
functionality
entirely.
H
So
we've
got
this
new
client
called
element
X,
which
is
built
on
a
new
rust
SDK,
and
about
two
months
ago
we
made
the
decision
to
just
turn
off
the
Kegel
spin
functionality
outright
and
instead
handle
basically
a
UI
feedback
mechanism.
That
says
sorry,
you
can't
see
this
message
because
the
person
who
sent
it
didn't
know
you
existed
and
empirically
users
seem
to
be
able
to
get
comfortable
with
that.
If
it's
presented
simply
enough,
because
in
the
decentralized
world
of
Matrix,
it's
obviously
a
bit
of
an
edge
case.
If
you
have
a.
F
H
D
It's
taken
days
rather
than
months
to
actually
make
the
thing
function,
the
interop
side
of
things
we've
proven
it
can
work
with
synapse,
which
is
a
traditional
Matrix,
Home,
Server,
capable
of
supporting
dags
and
all
that
fun
stuff.
It's
like
we
do
have
the
interrupt
with.
Obviously,
our
own
stack
we're
just
kind
of
working
out
the
the
details
of
making
it
function
with
something
that
isn't
Matrix
branded
I
would
say.
C
H
Oh,
if
sorry,
if
you're
playing
Felson
news
with
the
queuing
discipline
by
the
way,
but
we
do
have
two
different
compliance-
Suites
that
we've
already
written
for
Matrix
as
a
whole.
Admittedly
looking
at
the
client
server
API,
as
well
as
the
server
server
API,
there
isn't
one
yet
for
the
new
linearized
Matrix
server,
server
API,
but
yeah
one's
called
site
test
and
slightly
embarrassingly,
is
written
in
pole.
E
H
C
H
A
really
interesting
fact
could
be
to
take
an
existing
normal
Matrix
server
and
make
it
to
linearize,
Matrix
and
potentially,
and
so
we
have
eigen
server
as
complete
Standalone
clean
room
thing
that
Travis
wrote
and
then
forgot
the
name
of
the
taking
the
existing
ones
already
out
there
and
making
them
speak.
The
dialect,
too,
could
be
those
points
or
we
could
potentially
get
one
of
the
independent
Matrix
servers.
E
D
I
E
C
Yeah,
that's
a
super
positive
development,
so
thanks
for
that,
just
to
soften
ecker's
point
a
little
bit
like.
Obviously
that,
like
fully
independent
implementations,
just
from
spec
is
the
the
standard
to
which
we
Aspire
for
the
final
stuff
here.
I
think
the
question
as
Ecker
pointed
out
earlier
before
the
working
group
here
is
like,
what's
the
right
basis
for
the
working
group
2.0
to
start
from
and
I
think
to
get
to
that
adoption
question.
C
You
know:
you'd
want
some
level
of
Independence,
but
you
could
probably
allow
some
level
of
coordination
but
still
kind
of
working
from
the
spec
and
without
a
lot
of
external
tools.
So
you
know
you'd
want
to
like
start
from
something
where
you
can
get
some
interop
and
then
reduce
the
level
of
coordination.
You
need
reduce
the
level
of
dependence,
ethics
troops,
so
I
think.
Yes,
we
want
to
get
to
intermittent
implementations,
but
you
know
so
the
adoption
question
we
just
need
some
basic,
so
some
more
basic
demonstrations
a
little.
F
F
That
need
to
be
added,
and
that's
like
a
fine
fine
thing
to
do,
but
also
like
validates
whether
this
design
provides
the
all
the
functionality
that
some
other
third
party
would
be
looking
for,
if
they're
interested
in
and
interrupt
so
I
think
both
you
know,
having
both
of
those
things
as
benefits
is
reasonable.
At
this
stage,
right
I
think
the
eventually
like
some
Independent
party
being
able
to
implement
the
thing
from
the
spec
is,
is
a
good
objective,
but
that's
not
where
we
are
today.
H
Remember
to
press
the
key
button,
so
I've
been
talking
to
two
different
independent
outfits
who
were
interested
in
independent
implementations
of
linearized
Matrix,
basically
as
a
way
to
plug
it
into
existing
non-chat
servers,
so
Mastodon
style
things
where
people
don't
have
encrypted
DMS,
but
want
to
have
a
sort
of
simple
easy
to
implement.
Don't
have
to
run
a
great
big
full
fat
Matrix
server
way
of
hopping
on
board,
so
I
can
certainly
nudge
those
guys
and
see
if
there
was
appetite
to
crank
out
an
implementation
again
clean
room
purely
from
the
I.
H
The
internet
draft,
without
cheating
and
looking
at
sweat.matrix.org
and
I
can
certainly
find
folks
who
can
pretend
to
be
independent
through
within
the
Matrix
and
ecosystem.
Well,
Independence
development,
at
least
who
could
have
a
play
with
it
as
well.
I
think
it
sounds
great
I
mean
bring
it
on.
The
whole
point
here
is
to
have
something
that
people
can
Implement
independently.
E
C
Sorry
I
took
a
second
but
I
managed
to
get
the
slides
on
the
top
of
the
new
button,
so
I
wanted
to
like
rewind
a
little
bit
here,
so
changing
topics
in
case
anyone
wants
to
understand
the
current
topic,
someone
I
someone
brought
up
a
few
minutes
ago.
The
client
server
API,
and
it
reminds
me
of
a
question
that
came
up
in
my
mind
with
regard
to
linear
linearized
Matrix
it
the
picture
kind
of
the
architectural
picture
you
showed
before
had
servers
talking
to
servers
and
so
I
believe.
C
E
C
Sorry,
just
in
just
a
and
just
to
kind
of
like
elaborate
this,
and
that
we
have
this
in
front
of
us
like
what
I'm,
what
I'm
wondering
is
like
these
Blue
Links
from
the
servers
up
to
the
hub
would
be
the
The,
Matrix,
client,
server,
API
or
whatever
simplified
definition
of
it.
We
do
here
and
the
green
links
out
to
the
clients
would
be
whatever
provider
aspects.
Whatever
provider
B
speaks
and
then
job
with
the
server
would
be
just
to
map
those
operations
up
into
the
interoperable
thing.
D
Yeah
I'm
slightly
concerned
I,
guess
that,
like
there
might
be
sort
of
basically
terminology
overloading
going
on
in
a
certain
sense,
because
we
did
so
like
the
blue
lines
here
between
the
the
providers
that
is
server
to
server.
But
there
is
obviously
a
client
from
a
network
perspective,
so
linearized
Matrix
is
based
off
of
the
Federation
API,
with
with
all
that
consideration,
The
Matrix,
client
server.
Api
is
honestly
like
way
too
complicated
to
even
really
consider
for
for
this
sort
of
like
for.
D
H
Think
it's
right
to
have
completely
different
flavors
of
apis
in
the
end
between
the
two,
because
you're
optimizing
for
totally
different
things,
the
clients
basically
need
to
see
a
partial
view
of
the
total
data
on
the
server
and
so,
for
instance,
on
The
Matrix
csapi
right
now,
we're
on
our
fourth
generation
of
same
kpi
and
the
whole
idea
is
that
it's
lazy
loads.
Only
the
data
that
the
client
needs
to
see
onto
the
client.
So
you
just
do
not
get
any
information
about
other
rooms
that
you're
not
looking
at
you
don't
get.
H
You
know
most
recent
messages:
it's
almost
a
graphql
style
feeling
where
you
pull
in
as
rapidly
as
possible,
the
bare
minimum
to
have
the
most
responsive,
first
fastest
time
to
First
interactivity
app
imaginable
and
that's
how
Discord
in
Telegram
and
the
other
really
really
performing
mainstream
apps
are
doing
it
and
that's
just
a
fundamentally
different
problem
to
how
do
you
synchronize
the
message
backlog
on
This
Server
through
to
a
hub
to
a
different
server?
You
don't
need
any
of
that
lazy,
loading
or
graphql
install
semantics.
It's
much
more
of
a
message
queuing
thing.
D
C
D
C
E
C
C
E
D
The
clients
on
provider
B
might
want
to
know
that
you
know
a
new
admin
was
added
or
somebody
was
kicked
from
the
room
like
just
to
visually,
show
it
to
their
users
and
so
like.
While
the
information
creating
center
for
the
wire
might
not
be
important
to
the
server
operation,
it
still
might
be
important
for
user
experience.
G
G
So
in
the
sending
case,
the
server
is
really
just
essentially
a
downpipe
forwarding
the
the
messages,
but
in
the
receiving
case,
obviously
them
and
the
client's
server
has
to
do
the
you
know,
store
and
following
stuff
and
obviously
there
you
can
have
a
more
sophisticated
API
during
the
graphql
things
that
Matthew
just
mentioned
so
I
mean
we
don't
have
to
do,
go
all
in
on
this
I
guess.
But
why
not?
You
know
allowing
it
partially
might
also
be
in
the
interest
of
metadata.
F
H
The
end
and
that
what
really
is
the
difference
between
a
separate
service
over
API
and
a
client
server
API
other
than
almost
the
prefix
on
the
API
on
the
URL
itself,
because
if
you
have
two
different
ways
to
send
messages,
one
of
them
is
more
message.
Query.
The
other
is
more
actually
I'm
trying
to
think
of
the
differences
between
sending
messages.
The
the
difference
on
Matrix
is
that
when
you
send
via
client
server
API,
you
don't
need
to
understand
the
dag
or
the
linked
list
or
whatever.
H
The
underlying
data
structure
is
for
the
room.
You
just
send
a
message
and
you've
got
a
transaction
and
it's
not
within
the
context
of
anything
else,
whereas
when
the
servers
synchronize
the
messages
together,
it's
in
context
in
linearized,
Matrix
of
a
linearized
like
this
or
a
normal
Matrix
as
a
dag,
and
so
the
permissions
which
are
applied
by
the
server
well,
the
messages
are
synchronized
in
the
context
of
the
permissions
which
are
being
sent
on
the
server.
E
D
Sorry,
like
just
briefly
on
that
Matthew
the
the
way
that
lagrance
Matrix
is
currently
structured
as
well
provider.
B
doesn't
actually
need
to
know
anything
about
the
linked
list.
It's
only
provider
a
that
needs
to
know
about
the
history
and
enough
to
fill
like
the
previous
events,
that
sort
of
stuff,
because
it'll
rebroadcast,
basically
the
correct
or
final
form
of
whatever
the
event
is
out
to
the
remaining
servers.
B
E
G
D
I
guess
benefit
of
something
like
MTP
or
BMA
transport
protocol.
It
doesn't
actually
say
it's
a
server
server,
API
or
a
client
server
API.
It
just
is
an
API
which
is
yeah,
I,
think
arguably
like
in
in
essence.
Yes,
linearized
metrics
could
be
or
characterized
as
either
but
yeah,
like
maybe
I'll,
just
take
it
to
the
to
the
draft
and
call
it
an
API.
F
F
So
so
here's
my
assessment
of
of
where
we
are
and
I'll
like,
propose
some
next
steps
and
people
can
react
to
those
so
I
feel
like
we've,
had
some
productive
discussion
sort
of
more
in
in
the
requirements
and
design
decision
space
about
the
transport
protocol
in
the
last
few
meetings
and
that's
been
good
I
do
think
that
needs
to
be
synthesized
and
put
out
to
the
working
group.
So
people
can
evaluate
that
and
and
react
to
it,
and
so
that's
something
that
I
will
aim
to
do.
F
F
F
I
think
we
also
talked
about
trying
to
find
some
independent
non-matrix
based
parties
who
might
be
interested
in
getting
going
on
interop
testing
with
linearized,
Matrix
and
I.
Think
that
would
be
a
very
valuable
process
for
us
and
as
we
go
forward
on
both
of
those
things
both
you
know
people
looking
at
the
draft
and
also
you
know
potentially
getting
some
interop
testing
going.
F
I
think
to
get
to
the
step
of
saying
like
do,
we
want
to
either
adopt
linearized
Matrix
as
as
a
target
for
the
standard
that
we're
supposed
to
produce
for
the
transfer
protocol
or
do
something
else,
and
we
still
have
MTP
as
as
another
proposal,
so
I'd
really
like
to
push
forward
on
that
over
the
next
like
month.
Let's
say
we
have
an
interim
in
two
weeks
and
we
can
schedule
another
one
prior
to
itf117,
but
I
think
you
know
Gathering.