Internet Engineering Task Force Interim Meetings, 30 Aug 2023

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF-MIMI-20230830-1900

Description

MIMI meeting session at IETF
2023/08/30 1900

https://datatracker.ietf.org/meeting//proceedings/

A

A

To the Mimi interim meeting, um it's three o'clock so I think we can kick off Although. Our first presenter is not here yet, but maybe he will be here by the time we get to him so Tim. Can you advance this way.

A

So just a reminder: this session is covered by the ietf note, well, which um is inclusive of a variety of different policies that the ITF and poses on its activities, including IPR code of conduct and other things. So please take note of it.

A

A

We are looking for a volunteer for a note taker for this session. Is there anybody who's willing to take notes?

A

Just needs to kind of capture, high level points of agreement, and disagreement doesn't need to be like a transcript because we'll have a transcript, I. Think.

A

Any generous Soul who would like to take some notes for us today.

B

I can take notes some insurance thank.

A

You thank you very much. Conrad. Okay, thanks next slide,.

A

Okay, so here is our agenda for today, first hour is going to focus on transport and signaling architecture and we're going to get an update from the design team. So Richard will be leading this discussion, but we left a lot of time for lots of interactivity on this one.

A

um So he- and he also published a draft just yesterday, which he sent to the list, so hopefully folks had a time to take a look at that. If not, you can reference it as we go along uh we'll give that as much time as it needs. This is our you know our first set of deliverables I'll relate to this transport architecture, so we'll spend our time there as as needed.

A

um If it takes about an hour, then we'll have an hour left and second hour, we'll focus on user Discovery requirements um really looking specifically at Discovery. um Sorry, it's looking specifically at requirements and not Solutions.

A

um So we have a bunch of different presenters, lined up for this um Jonathan and Ecker uh to kick off and provide sort of overview and um sort of points of discussion for for the rest of the group and then Giles and Vittorio, who have more specific proposals from their respective drafts, and we left some time at the end there for discussion. We might need to kind of rejigger a little bit based on people's conflicts and some people having to leave early, but we will we will do our best um Giles.

A

Did you have a question.

C

I'm sorry I'm not familiar with this.

A

D

A

Okay, uh you, it looks, like you raised your hand to be in the queue, at least from from my interface. That's what it looks like. um So if you, whenever you have a question, you should hit the hit the raise hand, button you'll, get in the queue and and we'll run the queue as normal, um just like we did in the in the in-person meeting. But for now you don't need to be in the queue. um If you don't have a question so.

C

A

um Any bashes to the agenda or questions or comments that people have on the agenda.

A

Okay, then I think we can kick it over to Richard.

E

Hello, my audible here looks like it.

E

Can can someone confirm I'm audible? You are Audible tomorrow, all right. Thank you.

E

Bro you're, already in the queue.

E

Rowan, do you have a comment.

E

Okay, um assuming that is a spurious uh in queuing from Rowan um all right, so I apologize, I just got into the room here and I missed the whole uh chairs intro. But um what I was gonna uh present here is uh an update from the design team that we discussed uh back at the ITF meeting, uh give folks an update on kind of what the design team has been discussing and how far we've gotten and one of the outputs of uh you know, snapshots of what we've gotten so far is. Is this architecture concept?

E

The general approach here is that we've been trying to make an architecture that defines what the protocols are that we need and what they do so that people you know design protocols that work well with each other when they go off the design protocols.

E

um I'm just supposed to say next slide here, because team you're driving there you go yeah go ahead next, one.

E

Yeah, so if you cast your mind back, oh these, several weeks to uh Late July, um we had some discussion at the ietf meeting about adopting some of the protocol drafts that existed then um and ended up not having consensus to adopt any of the things that were existing at that time. And so there was a suggestion from the working group that we get a smaller kind of design team together.

E

I, don't think it's an official working group design team, but I don't bothered much by the process there, but it's a group getting together and trying to come up with a proposal for adoption in late September or so that has a little bit more broad base of consents and you know involved. You know you know you can see.

E

The list of folks here involves authors of eventually documents that exist, and so we're trying to take a bunch of the ideas and the existing proposals and merge them together into into a framework that makes sense for everybody, so I'm going to give an update on what we've gotten so far.

E

um The plan, as was expressed at the ITF meeting, is to have um some drafts ready for working the working groups, look at in in the middle of September, with the idea that at a late, September uh interim meeting, which I believe doodle has gone around, for um we could start doing some adoption calls and hopefully have some adopted documents.

E

The working group can then can work on and to be clear and set expectations properly here, right, obviously, in the ITF adopting a document does not mean the document's done, um and so these documents should be uh you know. Even you know, once we've been through this design team process should be reviewed as starting points uh as points for further refinement.

E

So that's that's the the plan of record next slide. Please.

E

So we commissioned that design team back in July. um Since then, the design team has been diligently working. We had a face-to-face meeting after the Mimi uh working group meeting as it comes on Friday morning by ATF week um kind of had some initial discussion about what an architecture looks like and what the overall, how the overall system fits together.

E

um There's been three design team calls, since the ietf of which, in all I'm saying this too, because I was on vacation but I hear they did. uh They got a lot of work done um largely so far been kind of discussing architecture, approach and working through some basic example cases. So you know how what should it look like? What should the operations be when someone when the room is created and someone's added to the room?

E

Etc um a couple of General bounding concerns and desiderata that have come up as I think understood the goals of this effort. You know, obviously, as the charter says, engine Security based on MLS, but we're trying to phrase things a little more generally in case folks want to bridge in other stuff. Not you know not within the context of the working group, but you know defining a clear demarc in case someone else in some other context wants to um wants to do that.

E

um An interesting uh concept that came in I think starting from the discussion with the atfd, was this idea of object level of authentication of protocol messages, um which um you know exists in some protocols now. This is emphasized to different degrees in different protocols, but I think this idea of a very pervasive authentication kind of came in from the New Media stuff, and this is infiltrated some of the ongoing ideas. I'll say more about that.

F

E

Another point of emphasis is this idea that you know, as the name of the working group implies more interoperability, um there should be some degree of incremental adoptability and some degree transition story from from current protocols.

E

um So those you know kind of General ideas that are guiding the discussions are, in the background of discussions um that you'll you'll kind of see coming up in some different ways in more details. So this this draft I published yesterday, um we've kind of had, is a working document to to Prime the discussions. So we've tried to capture areas where the design team has clear ideas and agree. You know things we agree on um and also um help Drive the discussion forward by making some proposals in areas where there is ambiguity or disagreement.

E

So it's it's a mishmash um uh as it stands right now. That's that's what it means to be a working document. It's not the uh you know, not authoritative. It's just trying to capture the state of where the discussion is right now and as you'll see. If you look at the document, there are some things that are clear.

E

There's some some notes in there flagging areas where more work is required or whether there's a disagreement overall as and so most of the rest of the deck today is kind of going through the ideas in there and teeing up some discussion around some of those areas of disagreements. You can have some design real live design. Team discussion, maybe in this working group, called, hopefully bring the rest of the working group in so they can understand where the design team's gotten to.

E

um Overall, though I think we are pretty well on schedule for the September deadlines, I, don't think you know the the products we we have coming out of the design team may not be real polished, real done, but, as I said before the point of adopting a documents as an adopt a starting point.

E

That's pointed in the right direction and I'm hopeful that this having this architecture in mind, at least um with some degree of fidelity, um will give us some confidence in adopting these starting points, um and you know, because we'll have some idea- that these starting points have the right shape. They're pointed in the right direction, I think that's! My last slide on design team status.

E

um If anyone had questions or comments on design team before we dive into more more interesting technical stuff.

E

All right next slide, please yeah, so uh at the ietf meeting I had you know, presented this architecture, some architectural thoughts as as lead up to design questions, uh and had us footnote that someone should write a document. So now we now we have one.

E

um Obviously, as I said before, this is actively in progress, so everyone Don your heart, Hat's, another protective equipment and let's dive in next slide, please.

E

So this is a recap. uh You should recognize the slide. It was in the deck at the ITF meeting, um the the design team had some discussion about. You know just confirming that we are in this client to server to server, to server, to client architecture where there is a hub server and there are followers or there's the Hub server is where a room you know a room is the organizing concept should be.

D

E

In you know many many messaging systems room is the organizing concept. There is a a server to which that room is homed. We've been using the word hub for that and follower for other servers um and everything that happens in the room uh gets routed through that Hub server, so clients access the systems via their servers by a server for their provider um and then servers exchange events, objects or the terminologies a little influx. But there's there's things that the servers exchange um with authentication that kind of make the room go.

E

Some of these things capture messages that are the actual messaging functionality. Other things capture changes to the room you know joins and layers, and that sort of thing, so hopefully, this this client to server to server to server to client architecture, looks familiar to folks next slide. Please one area of clarification that came up in the discussions was whether we really really mean that everything goes via the Hub and in particular the thing that that, for that was a little unclear when the discussion started.

E

Was you know when, when a someone at server a is trying to add a user at server? B, uh you know they serve the user server a needs to fetch some information about server, beats and add them to the cryptographic statement.

E

Unless it's called a key package, um and so you could ask the question: reasonably: does server a talk directly to server B to fetch that information, or does that fetch go via the Hub servers or receiver or the room is hosted um and there was pretty clear agreements uh among the design team that like, in fact, we everything needs to go via the Hub server, and the reasoning was was something like the third bullet here that um as providers start opening up these open interfaces and start interconnecting with each other?

E

um It's not going to be the case that every server is willing to uh interact with every other server. That's out there.

E

So if uh server, a and server B are both interacting with server C, which is the home of the room, then clearly a is what we work with c and b is willing to work with c and so there's a communication path there, and we should rely on that communication path instead of relying on also having a communication path between A and B, Because, A and B might not be willing to talk to each other. If they've decided, you know each other, you know.

E

Maybe a has decided that b is a spammy server, but it's willing to interact with via server C in that specific context. So there may not be a communication Channel server, a between a and b, and so everything really everything in the channel goes via the Hub, really getting all three of those s's in there. Every time got to make sure we cross all the Hops next slide. Please and people should feel free to enqueue. Ask questions. Tell me I'm crazy at any point here. Hopefully this is all sounding pretty familiar folks: yeah, listen.

A

I wanted to either ask or sort of point out that, um in the case where the the Hub, the recipient user, is actually attached to the hub, there's only two servers involved so like the number of s's in the middle is sort of less relevant than the Hub and follower aspect. I know that we like to talk about which kind of protocol are we doing here, but I think that's.

A

It's so kind of like helpful to remember that, um because the difference between Hub and follower is only meaningful and like for a subset of the conversation.

E

Correct yeah, yeah, um I I think it's accurate to say that there are in any given uh room at least two uh providers at least two servers involved. So it's at least cssc I I. Don't think we're anticipating that you know a single server would host.

E

um You know things inside a provider, although I guess providers should could feel free if they build the right apis, but um I think we're pretty clear that everything that Mimi is doing is about the inter server interactions and secondarily the the you know when things are end to end those clients defined interactions.

G

I have a preliminary question, which is: is this pronounced, Sisk or uh or what.

E

I I think it's.

G

E

Right the sibilant has to last at least 750 milliseconds. We.

G

Got it okay, um are you going to talk at some point in this conversation about um the husband's responsibilities, um because this is just like saying: it's forwarding the information, but are you talking about responsibilities and whether there are any multiple hubs and this kind of stuff.

E

uh I don't have that in this deck, but let me try and summarize what I believe uh we've heard in the last in the last ITF meetings. um uh It's a good call out.

E

We should we should capture the document, it's not in there right now, but I think the the thing what people have in mind is there is at any given time there is a single Hub uh to which the room is home, so there's a room does not have multiple hubs um and that the Hub is not simply a blind forwarder, but it can all. It is also uh acting as a policy control Point as as well. This was, as I recall, a point of discussion at the.

H

I

E

Where um I think we said that the uh The Hub establishes the policy envelope uh that that phrase is in the document, so the Hub establishes a policy envelope and then the clients and servers participating in the room can contribute uh to the precise policy.

E

um I think the document also says that all the servers have a common synchronized. You know up to some boundary view of what the policy is, uh which means that any of the servers can act as a policy control point.

G

Right um so I guess I guess the reason yeah yeah right um well independently enforce the policy, but that um right, um I guess the part of what I'm asking is if it's possible first, is for hubs to move then for or for our communication. Then this this point here about this this last last major ball in the slide may have may have a real problem in this. You know that, maybe, if, if a and b are not only talking, then the pub cannot move to B, because it's bad news right um so.

D

I

G

We will be important to establish quite early, so I think this is a good design, Choice, um but I think that I think I think it has some consequences and I think one of them is that portability plays more difficult um and I'm perfectly fine enough in portability, but others may not be so. I just wanted to fly that.

E

Yeah and and to be clear, I think that folks do have in mind that you know. Ultimately, we will need some portability mechanism like that, so the Hub can move, um but yeah you're you're totally right that it does have this consequence.

G

Well right, but I guess what that means is that you'll you'll then need a mechanism. You know, then patient need to elect uh a new Hub. Not just not just have one stand up right and you say see it's like it's like I mean starting like so the sort of implied structure of the current system that I understand.

G

It is like that roughly the initiated, there's first, an issue in the chat becomes the hop right um and- um and so you might imagine, saying well that, like you just rank order people by like entry into the room and of like that, if, if you know the garbage collect the Hub and like that, may not work in this situation right um and so and in fact to me it may be possible in this situation, if you're willing, I guess what I'm saying is.

G

If you think that, if you think there's no non-requirement that every service, when you touch every other Surfer, then it may be Pro. It may be the case that a room can Decay to the point where, where it can no longer be possible to have it work, um because um uh if, if if, if you say hubs are garbage collected when there's no longer going to be on them um and not everyone, you don't have a full measure.

G

Communication then give a possible that, like when the last person from surface a lead, students or C leaves like the communication just falls apart, even though A and B is still in the room, and so um that's not undesirable. I'm, sorry about outcome, um and so I just wanted to find that so like so so it may be more complicated.

E

Yes, I mean yeah, I, mean I. Think there's you know multiple ways that these things can resolve right. Like hopefully you know in an ideal world like we wouldn't. Actually you know we could design to accommodate these reachability problems and they may not materialize uh in reality. Maybe there's you know that there's a the community of servers out there, that's officially large and everyone's willing to talk to one another within that space, and so affordability, just works um so yeah I think there's a little bit of kind of buildings.

G

Yeah I'm happy I'm, happy I'm, happy I'm happy for this for a while I just wanted to like sure we had to have these things in our mind.

E

J

And maybe controversial, but we can also live in a world where Hubs Don't don't move right like that, might not be a bad design choice where basically still received owns the room forever.

E

Well, I think that is certainly what we will build first, because yeah I think just practically I think the the portability stuff is scheduled behind getting the thing working. um So certainly the word world we will build. First will at least Define standards for first will be a world in which the Hub doesn't move.

E

um No, you know Zachary points out. You might have all the all the serversy users leave and then you know maybe you're rely on service use charity. um Maybe that's okay. um Maybe we don't need portability, but I I. Think that's that's a question for a bit down the line. Travis did you have uh comment? I saw you pop up and back.

H

Sorry, I'm muting, it probably takes 30 seconds. um No, you answered it as part of uh your your speech. There cool.

E

All right, I think we can move to the next slide now.

E

So yeah, um so we're kind of trying to build up a model of you know how the protocol works. So you need to know what you know we said rooms are the organizing concept, so you need to know what are you going to do with the room to know? What does the protocol need to do?

E

um One thing the protocol doesn't need to do is create rooms, um I think, as Ecker pointed out, there there's an assumption that we should. We should document clearly that wherever the room is created is the hub for that room.

E

um But uh the folks agree that that the creation of a room is not something that you do using a meme protocol, because when it's a room is created, it's between, whichever user created the room and its local local provider, and so the mechanism to create the room is, as is, is local to that provider, and so because Mimi is about into provider relationships, we don't need any protocol uh to do it um now. The caveats of that is that when you create a room, uh it's going to initialize the room with some stuff.

E

It's going to make some initial crypto State. Some initial policy State and you're going to ultimately need to share that, with uh with other particip other providers who are going to participate in the room after its creation, so there will there will be protocol results. You know the the state that the protocols help thinks and talks about will get initialized by this creation operation, but there's no kind of message that is sent in the protocol to accomplish the operation.

D

G

Yeah I've got a wish on the screen. um That's amazing, um so um uh your assumption is that a room is created. Only has one person in it, then, in the in a full case.

E

Or uh yes or I mean the the bullets I've laid out here would also be compatible with creating a room with only users from a single provider. Yeah.

G

Quite quite so, yes, yes right so right, but right.

E

Yeah, so if, like you me and Martin Thompson had a room on WhatsApp and we wanted to add, uh you know Rowan on wire yeah, we might kind of promote that provider native right into it. Agree.

G

Yeah right, but if but if but if I was on WhatsApp and you were on wire than us, then the order of operations is I, created, empty room or not empty a room, a size one in WhatsApp and then add you on wire right. um So this is like an MLs question. Okay, MLS groups only have one have exactly one member.

E

Oh, in fact, that is the only way that an MLs group has ever created. um Is that you initialize a one member group with yourself and then you add people to it.

G

I guess that's true: okay, fair enough yeah I.

E

G

Thinking of it as you as you created by instantiate by adding the new person but you're part right, okay, um then that should be fine yep.

E

um But yeah that may be something the document more clearly is. The assumption is that this, um the uh initial population of the room is local to a specific provider and then in other users, local to other providers can then be added to the room and I. Don't think it really matters whether it's one person within that provider or multiple users I think this.

E

It seems plausible. This promote, promote a provider. Local group to an interoperable group thing um actually seems like a plausible use case. If people are gonna, if provider is going to use the Mimi stuff for interoperating stuff and not for their local stuff, so it seems plausible.

D

E

The creation um no protocol for that, but it has uh it initializes the state um messaging.

K

Sorry Richard simply.

E

K

Sorry, yeah sorry to interrupt Mallory's in the queue uh before you move on.

E

K

I was looking cute, oh I think perhaps that was I already want to ask a question.

L

Sorry I hit the wrong button. Thank you. Yeah, um before we move on I think it is important to Define this, but it could maybe happen later. I just see a real problem with um often what happens say with people who often are communicating with one another is that they go to their chosen app and then they add in the people they want to talk to whether or not they have an open group chat, and it would be a vastly different experience.

L

If the person initiating, let's say that three-way um example, you used, um if the person who initiated the the message changed in the room, or it would just be that you would have multiple different rooms. I don't know if I'm, making myself clear but I think that um this should be really well defined.

L

I also see some providers, as maybe having reason to or mechanisms that they could devise ways to play with the protocol such that they were always the host, and maybe that would be an advantage and- and that could be a Competitive Edge, so I think the protocol and the specification should consider that a potential vector and try to tighten it up thanks.

E

Yeah Fair Point, um if we have this invariant, that it's the creator of the room, that is the Hub, that kind of avoids the gaming point that you you brought a player but well obviously we'll come back up if we have a hub portability protocol later on.

E

um With regard to um kind of opening, your preferred app and adding people I think there's a little bit of a separation here between the user experience and the protocol operations. I I think you could have a user experience where I open up, say: WhatsApp I, add uh you know my friend Alice who's on wire, my friend uh Bob who's on Wicker and just hit make a uh you know, start up.

E

The group chat, um I think that's compatible with an under the hood, my client, creating a room local to my provider and then adding those uh users on other providers to the room. So just because we say add, it doesn't necessarily mean that there's a user visible ad operation that.

L

That makes a lot of sense, but it would be frustrating if, a week ago, those same people were talking and Alice had created the room last week, and that means you're in two different rooms now with the same people, because Alice and you are on different providers, and so you have different rooms. That's all I'm trying to say is that that is often a very common. In my experience, anyway, it's a it's a really common mode of user um operations, and that could just lead to a lot of confusion.

E

Yes, although I I, I, I, I, understand the confusion and frustration, I'm, not sure how well it's going to be feasible to maintain uniqueness uh of anything across providers. Raphael.

M

Yeah just to quickly add to that I think it's a very important point, but I think providers are capable of achieving any kind of ux that desire. In that instance, they could, as you said, Richard promote an existing room from an MLs perspective. There is no reason that would stand against that if they want to instead clone a room um and I have a different group. They could also do that so, but from the protocol perspective um both are possible, so it's not prohibitive in any way. I think.

E

Okay, cool all right, so that's creation and ownership um like I was like messaging, is kind of the next simplest thing in that server yeah, the messaging is presumed to be intent encrypted. So the actual contents of the messages are only going to be accessible to the clients, which is why we have a messaging format. Draft. It's already adopted that says what the contents of those messages are.

E

um So at a certain level, the servers are really just forwarding things and it follows This Kiss pattern where uh you know the user submits a message to their origin: server, the origin submits it to the hub, The Hub fans it out to everybody else, who's in the room. um So basically the Hub needs to know all the servers who are involved. The servers need to know all which of their users are involved in the room.

E

um Now, as we discussed a few points up, um the other thing that servers can do in addition to forwarding messages is apply. Authorization policy, so I think we are assuming that it will be visible to the servers who is sending a message um and so an aspect of the authorization policy um that one could could imagine is you know whether a given user is authorized to send messages into the space or who we receive, and so that sort of policy can be applied even outside of the envelope.

E

As long as you can see who the sender is so yeah, we will need a message forwarding protocol, but it's it's a fairly straightforward one. The more interesting uh uh question here um you know, ironically, we just sort.

D

E

Actual thing we're trying to do the messaging, the cool stuff we've been kind of push-offs inside so yeah, that's that's straightforward, we'll get to it and then let's focus on how we maintain the state of the room. um So obviously a room is going to have some State Associated to it. Aside from just the messages that are sensitive, um it's going to have you know cement and encryption State. You know the keys and credentials that are involved in a group at least the public.

E

That's what the United serve in the private space will obviously be private to the clients. um It'll have authorization policy, um you can imagine you'll consent things that would be attached to it and Etc. um So we, you know I'll get into some of the details of the state, but but, broadly speaking, you know it's. The job of the servers to um collaborate in the maintenance of the state I think it's probably accurate to say that the Hub is the authoritative uh there's a source of the state, um and other servers may suggest things.

E

Clients may also suggest changes uh to say the authorization policy.

E

um So, while proposals for changes come into the Hub, The Hub maintains it and then maintains a synchronized view of the state across all the servers, and obviously synchronized is a little fraughtant, because you know time is different in different places.

E

You know relativity is being what it is, um but you know some notion of synchronicity I think the idea is to maintain some notion of sync across all of the servers and so I think a lot of the the where the design team has been discussing where there's continued work going on is elaborating what this state is and how these these maintenance operations go on.

E

So I have more on that on the next slide, but I think the these These are the high level um kind of operations that go on in the life of a room and just the high level jobs that that the server is participating in a room needs to do next slide. Please.

E

So now, turning a little bit to look at the protocol stack um and kind of how we accomplish those jobs, um as we we said above, the Mimi protocol is either server to server or client to clients. So the stuff that is not end-to-end encrypted is server server and stuff. That is, and then encrypted is clients, quiet um and we've. This is you know. Like a a few days, old we've only had a little bit of discussion about this.

E

This model, it's on the slide, um but we've got kind of a three chunk uh taxonomy of protocols. um So obviously there's a messaging protocol we'll have a message forwarding thing that the servers do we'll have.

I

You know message.

E

uh Encapsulation and formats um formats we already have um says messaging, which, like I said, is pretty straightforward, um closer to the servers and more more directly in between the servers. Is this idea of control. um So this is this goes the the the job of maintaining the state of the room. So um the idea is that two, um the word we use for the kind of sub protocols that manage the room state are control protocols.

E

We've got some more detail on that on the next slide and then all of this unfolds over some transport protocol that actually facilitates the communication uh among servers. Yeah.

G

This diagram and this control line, um like the Hub, is actually involved in that right. So yeah that looks like it's hopping over the Hub, but that's just a diagram, not problem.

E

Right yeah, yeah, I, I I, probably haven't gotten like the SVG generation. Quite right.

G

Yeah yeah yeah really.

E

Good at drawing the brackets, but like I.

G

Mean but the mechanic is what I'm supposed to be taking home. The mechanics is that the control messages are conceptually end to end routine provider, a and provider B, um but they're, also end-to-ending writer, a in their hop is that correct. Is that with atmosphate getting in mind or or even not end end or how's? Everybody thinking at this.

E

Yeah, this document probably need this diagram probably needs some iteration, because I think the the the framework is Probably sounds more like I think what I said on the last slide, where um there's when a server is submitting proposals for changes they get submitted to the hub over some control protocol and then the Hub distributes the changes to other folks. Other servers in the room so they're up to date again using using a control protocol but I.

D

G

E

The same kind of fan outs pattern as as, like.

G

Right well, I, I! Guess, that's right, I think that's what I'm getting at is. Is it possible, for instance, for the Hub to persuade? If we have you know, if we have yeah uh a b and c and b is the Hub? Is it possible for the Hub to persuade C A, send a particular message.

E

uh Yeah, so that's a yeah that is in fact on the next slide, um where.

G

We talk about fantastic, yeah, I. Think the.

E

Idea here is that in fact, we we should authenticate. um You know authenticate messages according to where they originated. So if it is, if there is a change that is provide proposed by provider a uh it is authenticated by provider a in a way that all of the other servers can verify it, um and, in fact, I think one of the active areas of discussion is whether we we also do that at the um at the client there.

E

So if Alice at provider a proposes a change, um should it be attributable um to Alice in a way that everybody in the meeting can authenticate good question Travis.

H

Sorry 30 second lie again um the control protocols, it's sort of described here, I know on the design team um we've been using some other words. That may not be uh totally understood by the group here, but I just want to kind of confirm. Is this what we've been previously calling signaling or it's um I guess like handles some of the encryption, some of the user level stuff.

E

Yeah so I think in in my intent here was to have control and Compass um all of the different State Management things um so control, maybe more as sort of a layer uh encompassing a few different soap protocols. So you might have so. We've been using the word signaling I, think in the design team, as in terms of uh things that control things like policy things and control things like uh abstract membership.

E

And then you know DS, like things that control the end-to-end state um I was viewing this control layer as encompassing both of those because they have kind of similar properties uh in in terms of the way they flow in the back that they're, both controlling aspects of the state.

E

M

Yeah, just a quick introduction, you said earlier that it's still under discussion, whether or not it should be clear to everybody when clients actually initiated something and signed something. So that, of course, is already the case for MLS, obviously, because those messages always originate from the clients and are signed by the clients and they're visible to everyone along the Route, and so for that that part of the protocol. That question is already answered.

E

Yes, of course, yeah yeah I think the question is how we propagate that out to potentially other aspects of the protocol.

E

I

um I just had a follow-on from Travis and Chancellor trying to understand the shift of signaling to control, which is absolutely fine in terms of terminology shift, but more kind of what the etymology is I mean. Should we be thinking of this like media resource control, protocol stuff, that kind of is sitting on top of other existing signaling protocols like sip in order to orchestrate things, or is that coincidence, or did wordges come from kind of grasping for something that wasn't as confused as people were getting over? What the word signaling means.

E

Yeah, you know how terminology stuff goes. You know one word gets tainted and you move on to the next one. um I I think the the concepts here we had the discussions and design team about there being some data structure Associated to the room that captured the room, State um and so I.

E

Think the the how I arrived at the control here was that, like we are the what all these protocols have in common both and to end stuff policy stuff, whatever other types of State we're managing those are all like taking a data structure, that's associated to the room and updating it somehow, and they all have this kind of kind of you know people propose changes and they get distributed um shaped to them.

E

um So try trying to draw commonalities, um you know, as the commonality that they're all kind of manipulating the state.

I

Yeah- and that makes a lot of sense, specifically, control, manipulate State messages sends actual messages and the state that you control with the control protocol could be encryption state or it could be a metadata about the room or it could be. The membership of the room or the policy of the room. Etc sounds great yeah.

E

Precisely yeah, it's kind of like the the state events versus other events taxonomy and um in Matrix, and you know, there's analogous things in some other protocols.

E

Yeah just try trying to find the the right set of words for, for this crowd, I think we can move to the next slide.

E

Okay, so so working through this kind of from the bottom up now, I've included some some fixed width font stuff on the left hand side just like totally notionally. This is not how you would actually do it, um but the idea of you know I think the functionality we're trying to wrap up in this transport um in the design team book has been calling kind of a thick transport or chunky transport, because it's not just delivering fights, it's not just a done pipe.

E

um The idea here is to basically provide an authenticated Eventing framework that the control and messaging layers can use so Define. You know a way to you say what an event is a way that you authenticate who sent that event and then also yes, the physics of how you get that event from one server to another.

E

um So if you look at the protocols, there are others from the predecessors that we discussed um in July, and this is kind of like the pdu framework. You know Matrix has these pdus that are assigned by their Origins these transactions, the passing pdus around the Mimi DS protocol had these DS requests that were assigned and went across, so that is to kind of capture that functionality um in this layer and I believe um in our last call.

E

um Conrad and uh and Travis we're going to kind of sit down and take a look at the idea, some of the ideas from EDS and some of the ideas for Matrix and see how what the right kind of combination was but yeah.

E

The idea is, as you can see on, the left is like have some you know, probably HTTP, maybe maybe even fold in websockets here some Physics of how this gets from one server to another and then within that have kind of an event, type framework that determines what else is in the message and have some some signing modality that authenticates, the origin growing.

N

Would you characterize that as an existence proof, rather than an endorsement, that you should go and do it that way.

E

Sorry, are you talking about my example here or the the message that's being sent.

N

um Well, certainly, the example that you gave but like would we be specify you know, do you see that we would be specifying an example or like there would be another document that describes you know like not the architecture document, but like the document that defines con control or defines some signaling things would have a concrete way to go and Signal this stuff, but.

E

Oh yeah yeah, absolutely so so. I think the the idea of the transport protocol would be so by when I say the transport protocol I mean some other document, not the architecture that I think some combination of Raphael, Travis, Conrad Etc will be. Writing um will Define all of these bits um and Define them. You know at least a way to do that that the other layers of the stack will assume.

E

I

um So a question about the signatures at the transport there um are we worried at all about this, causing compatibility problems for deniability in future in terms of proving unequivocally what device originated, some given message and then all the various blackmail problems associated with that and yes, I appreciate that deniability is for subjects and somebody with a sgx, um attested client can go and potentially break the deniability by improving what they saw at the time that a conversation happened, but from a purely practical perspective, we're at least aware of an awful lot of users who care a lot about if nothing else box.

I

Taking exercise of saying that a given protocol is deniable and slapping signatures everywhere, which locks everything to a given user or a given device, at least on The Matrix side has been seen as a No-No. Historically.

E

Foreign yeah, so if, if folks, like deniability uh they're, going to be sad with really quite a bit of you know of of the cryptographic architecture here, because MLS is all based on signature, um there's been some very preliminary thought thinking on how to to design a deniable flavor of MLS. But right now it's all signature based, so um I think the Baseline here will be that that you know the not much is going to be deniable um right.

E

Whenever you send a message, certainly uh it will not be deniable, because it'll have a signature that everyone else can validate. um So the incremental thing here would be whether um you know things that users send are attributable at the transport layer as well.

E

The State Management things in addition to messaging um I hope it's uncontroversial, so I think the signature here is intended to encompass, uh certainly uh server authentication um and in fact the client authentication is probably an interior aspects of this, because uh you'll want the server to test that it was processing one of its users messages, um so I would hope it was uncontroversial to authenticate the servers uh in in who are participating in the room.

I

Yeah I mean I'm, definitely obviously want to authenticate the servers, um but you can always talk here. It's a feature, if you end up having to trust the server um to claim the traffic on behalf of its users, um such that from a deniability perspective, a user could always claim to the surface in that traffic. However, if we're basically putting it out of scope for MiMi, because MLS already eventually has a horoscope, then I mean that would make sense on this, just by extension, if nothing else, I just wanted to check.

E

Yeah I mean like I, think what I, what I meant to say is like MLS is going to make at least the messaging non-deniable um so like that, doesn't necessarily mean that we should not have. You know uh non-deniable authentication in other parts of Mimi, but it does mean that the value of those that deniability would be less okay,.

B

G

I I think this is like because it's actually fine conceptions about all I can say at this moment: um um I just wanted to flag that you're you're that it's implicitly importing A New Concept, which is um the uh of a server a server identity, infrastructure right and yeah. You may just say well pki, um which may be fine but like at the you know at the moment.

G

uh Until this moment, the only Concepts we had or the webpki for TLS and some sort of unspecified any architecture for users, and this implies that in architecture for servers as well, um I think that's, probably fine and I. Think it probably can be the one pki, but I just want to make sure. Like everybody remembers, that's the case.

E

Yeah, that's it's a good thing to flag and we discussed it a little bit in the last design team call I. Think the good news is that everyone, at least on that call, agreed that the servers have domain names. So in principle you could apply the YPK out of the problem, but.

G

D

G

That would be fine and I think you know and- and you know I'm sure there'll be some complaining about how you know it's, not it's not actually EKU, but I. Think you.

E

Know you're violating my ekus yeah.

G

I mean I'm sure we can well. We could certainly do you know the well-known hack if we had to right um uh so.

E

Yeah Charles.

C

I do think that is going to be important, so certain very important players and who might be adopting this um not Google, especially but um uh and I'm wondering if designing this around group level signatures, if that's the right term. So, like you, have a key that authenticates you as a religious member of the group rather than you as an individual um like. Maybe that's something that we should design optionally into this and I. Don't know if that's compatible with MLS as well, but.

E

um No, in fact, I think it's it's enabled by MLS, because mls's whole job is to synchronize Keys across all of the clients, and so, if you can derive from that, then you can very easily do a group signature. So it's not.

C

E

C

Yeah so I I think that's a good compromise because you know you need you need authentication, but sometimes authentication has just as a member of the group is enough.

E

Yeah the trade-off would would be. The trade-off would be the granularity which you could apply policy. So if you're going to try and apply say.

D

E

um You know policy on whether you could send and you wouldn't have authenticated user identity to apply that policy.

C

Right but I think I think having that at least as an option would would go a long way to to satisfying deniability. uh It's a nice deniability Orcs.

E

Fair enough all right, Jonathan.

O

Can you hear me yep all right um so just to be clear, this signature is signed by the server and not the end user. Right like this is not the MLS signatures right.

E

Yeah, so I I should have been a little clearer on this slide. I think, probably what we want is actually two signatures: um a signature from well again: module of the other conversation, a signature from the user. That originated an event. So if I send a message or if I'm sending a proposal to you know, Grant Bob permissions I should sign that message myself and then my server should also sign it as originating from that server. Okay, so.

O

Let me talk about the latter, which is a server signatures which I am unconvinced. We need in this protocol, and the reason is is that we have this notion that there's a hub right, which is the the Central Point through which everything flows, and you could use just polynold mtls, to allow the Hub to know who the followers are um and for the followers to know who the Hub is. The only reason that that would be, and then we'd be done like we don't need anything else.

O

What the only reason I I can see that you'd want signatures here. Is you think that there are authorization decisions that a follower will make about another follower independent of the decisions that the Hub has made and I can't imagine what those decisions would be I mean. So if the Hub has made a decision to accept the message, do you really want the follower to independently say: oh I, don't I, don't you know yeah this?

O

It's signed it's valid, but my authorization policy says even though the Hub accepted it and sent it to me I'm going to reject it. It doesn't make any sense. Like I, don't know what decision making you would make off of this signature and therefore why do you need it.

N

I I can give a specific example of folks, don't mind me, jumping the queue please go ahead. Yeah so keep claiming key packages and obtaining uh obtaining uh user level. Consent are both activities that may require one follower to obtain this from another follower through the Hub, and it's very useful in this. In both of these cases to know what is the origin, you know, what is the origin follower.

O

And the decision would be made by the follower, not the end user you're, saying Ron.

N

Sorry, this mute is taking a long time. The follower, um the the the the follower is, the one that's originating the message, because the end user is used potentially using their own native protocol. In order to do this so there's you know, you're translating from say the WhatsApp protocol. The client clicking on I want to do a you know.

N

I want to set up a one-on-one connection with Rowan at wire and I'm, using my own protocol on my on my server, and this message needs to originate from the provider go through the Hub provider, which might be you know, Google or Matrix, or something and then go to the other follower provider and.

I

By the way, these are a lot of.

N

These are written in the this. These these scenarios are listed in the draft May Mimi uh transportdesign requirements document.

O

I understand the use case, I'm saying I still, don't know why you need the signature per se, which is as the there's two followers here right, there's the one that originated the connection request and then the one that received it, um the one that received it like. Why do they need to I'm, not saying they don't need the we need to know who the originating user was that sent the connection request.

O

There's no dispute on that, because the recipient received the connection request has to make a decision, yes or no right, but the Hub is going to already authenticate and authorize the follower that sent the connection request, um and so, if that was invalid, it would have dropped it it didn't it forwarded it to the receiving follower. Why does the receiving follower need to authorize that this has not been tampered with as if it was the Hub would have rejected it? That's that's the that's.

O

The part I don't understand like, and it doesn't feel like it's adding another layer of useful security.

M

um Yeah I guess it's my turn anyway, so I think I can speak to that. If we just um go back a little bit, uh I'll first answer um child's concern and then I go back to that uh because usually it's me who ends up speaking when it comes to deniability. So today is not going to be an exception, um so I think the question Matthew brought up is really interesting and I hadn't. Given it a lot of thought in the context of Federated messaging I had a server to server layer.

M

Essentially, this is also new in the sense that typically deniability is something that exists between users and not in Federated messaging. So far, so um that's definitely new territory.

M

um So yeah as Richard clarified the signatures we are talking about on this slide. They are server to server. So whether or not we need deniability at that level, the whole new question my gut feeling is, we don't need it and it's going to be weird, but let's see happy to discuss for the signatures used in mls in in the vanilla core protocol, there is no deniability, as Richard already pointed at.

M

We are looking into how we can improve that for those who want it and I'm also aware of this one gatekeeper's requirement there um and that is sort of disconnected from the transport, um in the sense that it's a it's a different kind of authentication that it's really end to end um it. It could be tainted by the transport, of course, because then the transport gives you some proof that a you know, a message has traveled between two servers, at least, but not necessarily between two users.

M

um So you know that that's something that is uh not completely impossible, uh but yeah. This is also the place where I say it would be great if the folks who want deniability um speak up and uh say so on the record now going back to um Jonathan's question here. The the whole motivation for the signature was that between two servers, meaning a follower and a hub or a hub and the next follower, the idea was to have mutual authentication and one way of achieving. That, of course, is to do mtls.

M

There were reservations for that, specifically simply because it's hard to do in Google scale environments, you don't get your hands on the private key used for TLS, so that you can do the other part of the authentication.

M

So the proposal here is to have the.

D

M

Between floor and hub authenticated one way through TLS and the other way through a signatures, a real request is essentially originating from the follower, would then be signed as a counterpart, um and that is what Matrix is also doing.

M

So this is the starting point. Whether that's going to be the final design is a different question. There are some concerns about how that can scale um that are definitely valid, but the starting point is to have a mutual authentication that happens through two different mechanisms.

G

Yeah so I had not processed thing, Raphael just said and I think that is a very, very bad idea.

G

um um So, um like you know, uh I think it's going to create I think having having things which are authenticated only in One Direction um and then and then relying on the signatures on the other thing carried above them to to provide authentication, somehow implicit application. The connection seems bad remember. The signatures are not probably confidentiality for the data so like. Unless this is done very carefully, we can have a situation where we've authenticated one side of the connection, but you're talking the attacker and the attacker.

G

Basically, the attacker is basically initiated Connections in both directions and he's now proxying back and forth, and um he he can't. He can't adjust anything, but he can, but he can see it so um people should bite. The bullet do and do mgls um uh um not try to not try to work around it with something at the layer above, um but you need very hard to talk about the intelligently about and reason about, the security properties of the system. If we don't do that um so I'm.

G

Sorry, if that's unfortunate, if that's inconvenient but like that.

D

I

If they don't want.

G

To do that, then we should just then we should. Then we should do a channel binding or something else that binds the connection. What we should not do is use signatures at the at the at the uh um not necessarily- maybe maybe not Jonathan um uh uh Channel bindings the appropriate technology here really, um um um but um in any case, um what you should not do is use signatures as as as a way to avoid avoid mtls um I'd assume.

G

The purpose of this exercise um was to um I was to distinguish between um actions initiated by the by by someone who's, not the Hub on the other side of the Hub and the Hub right. So it's a Concrete example um say that the uh um say that uh I know um a user of the bees, the Hub and a user of C reports. uh A message is abusive, Senpai Sun by someone from a and they want to be propagated back to a um we don't want B.

G

We don't want the Hub being able to pretend that something was abusive when it actually was reported abused by someone by user received when it was not um that's what I understood the technology has to be. If we don't think any of those situations are are relevant, um then we may begin their way without this integers, but I'd assume the situation was we want to distinguish between. As I said things initiate by the holidays issue by the Leafs.

G

K

So I gotta interject here with the chair programming, note now we're at the end of the scheduled hour for um for the architecture discussion. However, as Alyssa said at the top of the session, we do want to like uh have this discussion. You know reach its conclusion today.

K

So what we're going to do is um is uh move like accurate's presentation from the second hour on Discovery requirements to the next interim, that we'll have uh to make more room to discuss architecture, but we still, uh we still intend to get to the remainder of the user Discovery stuff. uh Okay, so with that I'll reopen the queue. So we can pursue discussion of this current topic. Thanks.

E

Sure I was hoping we could wrap up the transport topic, because that was the easy slide. So thank you Tim for and shares for the uh the extra time because um we can definitely fill it. um So I think that I appreciate the discussion on the transport stuff. um I think that's a lot of good input. um I will ask I, suggest we kind of take that back to the design team and digest a little bit and come back with that with revisions.

E

um So let's go on to the next slide, which is about kind of these control protocols and what those might look like so yeah. The idea, as suggested above, is that if you look at a room, it's going to have a few few types of state that are mostly independent from each other and mostly we'll get into a little bit in the slide. The next one um right, at least you know, end-to-end encryption State. You know which clients have the keys to decrypt and authorization policy.

E

um You know which users and which servers are allowed to do things in in the context of the room. So those are pretty distinct um types of State. um You know MLS does a lot to do uh into an encryption state. Does nothing for policy there's some good. You know policy management, stuff and Matrix and related protocols that this operates entirely independent in encryption.

E

um So the the con kind of concept here is that, for each type of this state, Mimi should Define a corresponding control protocol. That does the stuff that is needed to manage that state. So, on the end, encryption side, you'll, have uh you know, objects you'll, send via the transport to um go and fetch a key package from another provider via the Hub um you'll. Have um you know events you send to add and remove clients for users who are participating in the room?

E

uh Things like that on the policy side, you know you know, there'll be some event that articulates the creation of the room with its initial policy. There will be something that declares the policy envelope for the room the Hub sets, and then there will be. You know, proposals to modify this um this this policy, as as there evolves, um so the grant capabilities do not capabilities things like that.

E

um So the idea is, you know, we'll have kind of these. Parallel, you know uh Proto sub protocols, I've been thinking about that use the transport to move around, but manage kind of independent types of the room, State and and this this left-hand example is kind of an example of one of the things you might see in the M10 encryption control protocol, where uh Alice on provider a is, is requesting a key package for Bob. So if you can add them to the room- um and you know it's signed obviously one of the controversial ways.

E

But the idea is that the control protocol within this overall inventing framework the control protocol would Define. You know a certain slice of event. Types would Define the internals of what goes in the message. What goes in in the events and things like that, so that you.

D

E

Would have enough types of events and enough information in those events to get done, whatever jobs it needs to do for managing the state. It's in charge of So and I've got got some more controversial stuff on the next slide, but any questions or comments on this kind of General approach, yeah, listen.

A

Yeah I wanted to see if we we still have the notion of sort of like two levels of policy. When you talk about the policy envelope, that's like this is the span of policies that could be applied to this room, and then you have a protocol that the Hub uses to communicate what that is set at initially and then the followers to adjudicate, whether that they want to make changes to it.

A

And then you have a lower level policy, which is specifically like this user is allowed to do these actions in this room and again the followers talk to each other about the specifics is that yeah.

H

E

I yeah I think we still have that that's um I believe in the section of the architecture, doc that described that discusses the policy control protocol um that um that notion of the envelope versus the specific policy is still there.

E

F

E

So one thing to note about the way I'm describing this here is that um you know there's a control protocol for each type of State, um because the types of state are mostly orthogonal to each other. Basically, it's up to this.

E

The servers and the clients participating in the room when there's overlap between these two uh types of states to make sure that the two types of State remain consistent and one way that that shows up pretty immediately when you start looking at this is um the notion of uh membership in terms of clients and end-to-end encryption State and any non-cryptographic notion of membership or permission at the user level, in particular on the next protocol on the next slide.

E

Please so something that has uh we've gotten to has kind of emerged as a um an interesting point in the design team discussions. Is this question of whether uh you can be a member of a room in some meaningful sense without having any clients that are part of the end-to-end encryption state um anchor? Should I go on or do you want to interject there.

G

Sorry go ahead: okay, yeah.

E

So the the way you you kind of kind of arrive at this question is that you know if you look at the end-to-end state of the room, you know like an MLs group like when you look at that end-to-end State, you can see which clients are.

D

E

Have access to the Keys you can see which user each client belongs to, and so you can get a notion of which users are in the room based on who has the keys.

E

um So the question is like: is this the only notion of user level membership so.

G

There's there's.

E

A notion it says you at the same time, you can also Imagine independently managing um uh some notion of user level membership so that, like I, can add Ecker to the room in advance of doing anything with regard to end-to-end cryptography.

E

um All he could he could have no no devices I've, never known him to be that you know without devices, but it's in principle possible with accurate, could have no devices alive at a given moment and so there's no way to join into the intent encryption state, but I can still kind of Mark him as uh someone who's in this room. Who has capabilities in this room as part of the policy um and so yeah there's a question whether we also have that um that notion of user level membership, that's not derived from uh cryptographic.

E

You know having some clients join to the room. um Those arguments uh on both sides of this, so in favor, of having an independent initiative membership. Is this idea that, like if.

I

E

Paranoid web user.

I

E

I, you know log in and use uh my my web client for some time and then I just delete all of my browser State. All of my private keys go away and I leave the encryption state like if I do that repeatedly, that's how I interact with the room, the other client shouldn't, have to be bothered with all of that. They should just see that I. Am you know persistently part of this?

E

um That's that's one argument on the other side, um if you don't have a client joining the room, especially if we have this notion of user level signing that we discussed in the transport context, then you can't actually do anything in the room. So certainly you can't read messages if you're not part of the end-to-end encryption State. Maybe you can't even like sign a policy message to say you know. I should join someone else.

E

um So if especially in that case, where we're signing messages from users um like there's really not um the only thing you can really do. If you don't have any clients already joined, is join a client and then take some option and when I propose level before we uh start processing the queue um as a possible middle way here, I think that maybe the word membership is hanging up. Speaking as we were earlier of Tainted words, um it seems like this.

E

The thing that folks have in mind when they talk about non-cryptographic Notions of membership is really like things about we have about which we have policy.

E

um You know we already I think a pretty good agreement that there's a need for a policy protocol independent of the uh of the intent decryption right, because and then encryption protocol still do policy, and so maybe the the the closest thing we have to membership outside of cryptography. Is this idea that, like this user, appears as a subject in the policy, so the example here like if I don't have any clients joined I'm, not an active participant I'm, not a member.

E

If we're going to use that word of the room, but if I do show up, one of my clients does show up it. Has these capabilities? It's allowed to add people, but not to send messages Etc um so like maybe that's a close enough notion to map onto some precedence, but just let me throw it out there. um So that'll open the queue anchor.

G

Yeah so I think um before we talk about mechanism. Let's talk about policy for a second or use cases.

G

um So I think that the use case that I think here at two use case I think are important to some degree or another one is um you know um uh one is I lose all my devices I should be able to like come back in the room without having some that should happen automatically right. That should not. That should not require some some user. Some person to be involved in in re-adding me so, like that's I, think that's one um I I think perhaps um uh um uh less.

G

um um It should also be the case to add somebody, um you know with them being offline right and and I think it needs to um um such as if they come something starts when they come online. You know it works properly.

G

Now, as I understand it, um you know in MLS or someone ambiguous notion of membership, which is to say that there's um a sense in which um you know um in which I can read messages but I'm, not actually part of the group, um um because I haven't set my own update um and there was a bunch of material about that in an architecture document that I was like I had to work through people, um so um so so I think, um but that's probably less important um a thing, but just like this liminal state, where you're like actually you're you're, not officially in the group that you actually are in the group um um um but I think the most important thing like I say is um that um that, once someone is um added a group and by someone I mean a human, not like a piece of software, another device.

G

They should continue to be in the group by having other people walk around and so I, don't I, don't like I can imagine eight different ways of doing that, but um but but I think I think, and this may be a fine one, but I think that's the required. If you think that's not a requirement, we can hear that now because we simplify things dramatically. If we didn't have to solve that problem,.

E

G

E

That that makes sense to me right.

F

Hello, yep gotcha.

N

E

Hear you fine so.

N

I agree that uh I agree that you need to be able to have somebody who was who was a user who was added and then deletes all their clients that they need to be able to have another client go and join later and I. Don't think that that is membership I think that that is authorization. They are pre-authorized to go.

N

That user is pre-authorized by virtue of the fact that they were added once uh so I think by keeping these Notions separate I think we get exactly the properties that we want, and we don't have this confusion about what a member is. And, furthermore, um you know having been through quite a few discussions with multiple uses of the word member I. Don't think we should be using membership to or the word member to be, describing anything to do with rooms or users.

N

I think we, since we have a night the concept of membership of a member in an MLs group that that should be. That should be reserved for that in order to invo, to avoid even the possibility of confusion and that we have another perfectly good word: participants which we could use for people who are active people who have users who have clients of whatever, whatever end-to-end encryption, variety that they want that are in the appropriate uh and and encrypted messaging.

E

So Ron, let me ask a question real quick about your pre-authorization notion, um which I think. Clearly, um you know one of the things a someone who is in the room as Ecker Point knows someone who is in the room and has lost all of their devices should be able to add, should be pre-authorized to add new devices.

E

um Would you but I think a corollary to ecker's point about durable durability of of being in the room would be that any policy Notions about like what I'm allowed to do should also be durable. So would your notion of a pre-authorized you authorized clients user be compatible with, like also having policy about that user.

N

Yeah yeah and exactly what is written in the in draft May group chat. Draft Mimi group chat like everything that's written. There is consistent with that, including using the term pre-authorization, including the the you know, the blob that's defined there um now I I think that I have I tend to have this notion of policy as being a very narrow thing. Not that Richard is an admin, but an admin is allowed to do this and go consult whatever list that you have. However, you got that to figure out who isn't you know?

N

Who is an admin? um I also want to point out that um it's quite possible that you could have a you, could have a user that has permission to ban other users from a room even if they're, not a participant in the room.

N

It's somebody who could get like a third party. I am and say: hey. This person is being abusive like could you please? Could you please ban them? They don't even need to. They don't need to have any clients in inside in order to do that, so I don't think I. Think membership is a very poor.

N

uh A very poor term to use to describe people who can do things or are are are described as having some some role or relationship to a room.

E

I

Okay, I'm trying to follow this, um so we're saying that I'm wondering if this whole explosive material thing might just be a terminology Gap in the end, maybe possibly so. It's uh surround you're saying that um uh participant is okay as a way to describe users who might not have devices in a room because they could be pre-authorized members or.

E

I think Rowan was trying to use participant for someone who does have a device Droid, so they're an active participant.

I

Okay um and what was the proposed terminology done for somebody who doesn't have devices in the room because they've been invited or they've logged out of.

C

All their devices.

I

Okay, what would we expect the ux of this to be in a uh connected in to um well speaking in a mini backs room if, if a user goes and logs out of all of their devices- and they are converted from being a participant into a pre-authorized user, do we do they still appear in the roster, perhaps grayed out or something or do they suddenly wink out of existence?.

N

I mean I think that's up to the implementation, they could be grayed out or they could simply be dropped. And then someone who.

E

Would and then or they could be displayed as normal right.

N

Yeah I mean you could do it either way, I, don't think I, don't think that there's anything that you that any current behavior in any am system that I know of that. You can't do using this.

I

Okay, so it's basically saying, rather than having a long-lived room membership thing that lasts for as long as that user is associated with the room. Instead, they flip-flop State between either being a pre-or-farosed user or a participant, depending on whether they're, currently participating in the MLS group.

H

N

Or or you know whatever and then encryption protocol it is.

I

Yeah: okay, um thanks for clarifying um I, was just trying to understand that I was tracking, hopefully useful for other people too.

F

M

Yeah so I think Ron said the most important bits already um uh I think it might also be helpful to try and dissociate what the potential ux is with the actual mechanism that we have at our disposal with MLS, because we need to make this work first and foremost with MLS, and what Ron proposes to to have this pre-authorized list or just a list, no matter what we call. It um is exactly how that could work with MLS, meaning those users are not part of the MS group.

M

Obviously, but it gives them the right to do an external commit into that group, and everybody will agree that they're allowed to do that and they will not reject that commit.

M

um And then we have those mechanics locked down essentially, and the important bit here is that there is agreement among the group of who can rejoin the MLS group with that mechanism and, and once we have that now down, then we can think about. You know what the potential ux is. Do you display these users in the same way? Do you display them differently?

M

um That probably doesn't matter too much at the design? Time of the mechanism.

D

G

I'm going to swap with Jonathan, uh because Jonathan actually contributing people for me, but like we have a shitty, UI yeah.

O

All right, so can you hear me.

G

O

Yeah, all right so I I think we're dancing around the word and and we're getting confused about it. To me, this is not the way to think about. This is is in fact starting from the user experience as a user in a messaging system.

O

What's really important, what's important to me is to know when I send a message who who could potentially see it, because that's gonna, it's important to me because I'm gonna know how to craft that message right and so whether they currently have a valid client that has access to the key or whether they don't but could obtain one in the future is not that important at all from a user decision making process. What matters is. Might this person potentially see this message and the answer is yes, what.

N

You just said is: is self-contraductory because.

O

They don't have a clients.

O

All right, Rowan can get in the queue and argue with me when I'm doubling my point so so.

O

um I I think that this thing that we're calling a list of pre-authorized users is the roster as we would think about it, and um and and- and it is important particularly, it is important for that to live as a whatever we call it I'm, not arguing about the name but I'm, arguing that there is this piece of state that is going to be maintained by The, Hub and synchronize, that to the clients that answers the question who are the set of people who currently will potentially see messages, sent right now into this room and I?

O

Think it's important for us to recognize that that exists as a piece of state that is facilitated by this protocol. In addition, it did being used for policy purposes right. We want to want the Hub to say oh right now, my policy is, is that you know Rowan is blocked right, he's still in the room, but he can't send messages. So this is obviously going to require that the Hub have some notion of who people are and um be able to look at lists.

O

So this is all in scope of my view for the responsibility of the Hub. Thank you.

G

Like I think, the key question, as Jonathan says, is what is the user Petition of what happens the messages they send and there's a cryptographic sense in which, at this exact moment like if I send you send? The message to you know to the group.

G

Membership is not part of the group he's not going to get it um I think there are at least two situations in which that might be might be confusing right, one of which is, um you know, various kinds of scroll back in which you know, people backfill um the data that is not always available in every application, but it might be in some and it's perfectly reasonable to think that you know that you might have to scroll back for people who'd been pre-authorized the entire time.

G

Even they were members exactly the scenario where scroll back is like most interesting right. um It's also the case that you know um uh that. There's a question of like how these interface behaves, which I mean we can't we're trying to detaine's interface but like there's, a conceptual difference between like this person was in before was like then, before the machine. Their Vice is out- and you know, and now they're back in again, um and this person is like something I've never seen before.

G

There's now in the group right- and um you know if the behavior is that when someone is in this pre-authorized list- and they say an internal commit, they're just automatically joined and we have a race condition where there I think I'm, not sending Richard's, not part of the group and then suddenly he is Richard has a message or there's re-transmission or any any of these other things right, um depending on the research version, behaviors exactly how that exactly are exactly organized right and so in those situations.

G

I expect that I want to know when some new person joins. The group um in particular, maybe I'm supposed to like actually yeah I, have some real alerting about that. But I don't want to know a major gets, a new phone, and so um you know I think these are potentially all workable from user interface perspective. But I think this does tell us that um there's some mechanism we need here and then we have to give some pretty clear guidance to people who are Building Systems.

G

That use this that sit on their own screwed up and produce, like undesirables interface consequences. Whatever.

D

G

Guidance like like this is a complicated concept and so like, if we're going to have this, if we're going to like actually imply that, if we're going to use a bunch of words which are designed to suggest this person is not actually like in the group, I'm kind of voiding the words we're using so far then and they're sort of like limitingly in the group, then I think we have to like really be clear that you can design your face to support with that as well.

E

Thank you. Okay. We have five minutes left for uh Conroe and Wilson. So please be brief. Conrad.

A

I think we should take as much time as we need on this honestly. Okay,.

A

There for the whole thing and I unless somebody wants to get in the queue and argue about it, um I think this is higher priority than discovery.

E

For which this is the last content side, so we can wrap up after we finish secure here so Conrad. Please go ahead.

B

Yeah I just want to apprecially agree with the factor that we should be. uh We should definitely give a UI kind of guidance, or at least uh kind of be clear um with our terminology here. um At the same time, I just want to address two two things. um One is scroll back and like that.

B

That is probably we're probably going to have to discuss, discuss in depth because, as uh Rafael pointed out in the design meeting, Zante meeting uh like there's one scroll, one type of scroll back where you scroll back kind of you scroll back between your own devices, the devices of a single user.

B

So that should not be a problem, because at that point the user has one device in the group already, and so it's just a user even on the MLS level and the other situations where the user does not have a client in the group, which is the situation where we're talking about. So that would require scroll back between users, and that is something that should be kind of visible and agreed upon on the group level. Or you have two users who are kind of weirdly colluding without it being part of the group, configuration and I.

B

Guess, that's a weird thing to do on an application Level anyway, I'm, not sure if we can do anything against that but yeah. So we should probably discuss that a bit more in depth uh in a different context.

B

um Another thing I want to suggest is that talking about user level, membership is a bit tricky from a kind of, if you call the users members from cryptographic standpoint, because what we probably don't want to suggest is that we have a user level membership that has some sort of cryptographic backing outside of MLS I mean we.

B

If we wanted, we could create it, but that's kind of that would open up a whole design space and uh so kind of just having this pre-authorized uh notion of users that are allowed to do a very specific set of operations such as rejoin that probably works. But if we like really open it up for a user level, uh interaction where the user can kind of I don't know, do actions without being a part of the MLS group and those without kind of have a key material to back it up.

B

uh Yeah I'm a bit worried on how establishment of that look like for that or the security guarantees.

D

F

D

L

E

A

Yeah I, just I, just wanted Conrad to clarify what the meaning of scroll back between users is unless it's clear to everybody else, but that was the part that I didn't understand. Scroll back between users.

B

Okay, uh sorry, my bad.

B

If I didn't explain that correctly, so at least to me there are two situations where you can have scroll back: one is where um I have a device in the group and I join into the device into the group with a new device, and my other device gives me all the messages that have been passed in the group for some, maybe I, don't know for some 100 messages or something whatever the the limit is there, and this is a kind of passing of messages from one of my own devices to another one of my own devices, so that's kind of user internal scroll back between two of the user's devices and then you can have scroll back across users if there's a user who doesn't have a device in the group but who might be pre-authorized and then the user joins the group and another user now goes and provides drawback for that newly joint user.

B

Does that make sense.

A

Okay, this is like somebody who was in the MLS group, initially sort of gives you a certain amount of scroll back, because now you're anointed as being part of the MLS group.

B

Exactly and I mean that's kind of dangerous, because then users who have sent messages in the past have no idea who they sent messages to at that point, except maybe if the user was pre-authorized, um then that might work. But again that's a UI question. Yeah I think.

A

Got it? Thank you.

N

Yeah, um okay, so Jonathan Jonathan mentioned this idea of.

N

If the the thing that most users care about is who will be able to receive a message if I send it right now, and so the default is that, if even if they're pre-authorized, but they don't have an they're, not in the MLS group or they don't have you know if we were using double ratchet, the same thing would apply if I didn't have any sessions um set up that you wouldn't be able to receive, you wouldn't be able to receive the message uh and so saying that they are no longer an active participant.

N

I think that that is, that is the right terminology that or that is a that is a very understandable set of terminology. There could be other good sets of. You know terms for this uh and saying that. Well, because a user is pre just because a user is pre-authorized, they might at any moment come in later and and do this, the I I.

N

Don't think that that's particularly compelling, because likewise the the race condition that Ecker described it could be that a user adds somebody adds another user and that there's a race condition which means that I start to send a message.

N

But you know, as the as the uh you know, the commit arrives basically as I'm hitting the return key and my client decrypts the the commit and goes and sends a message in the new Epic to the new participant like that's, that's not a problem that Mimi is going to provide the answer to, um and also this idea that we want. We want to exclusively Drive our uh our protocol, based on um based on the user experience.

N

This is not going to be 100 possible because different met, popular Messengers have different user experiences, which are not consistent. You just have to look at how how like um group DM works to see that it's not possible for us to to do something. That is, that is going to be exactly the same guidance for every for every uh every client. There are going to be some variations.

N

So I think the terminology that I proposed works I, don't think it's the only one, but I think that it's well explained and if you read the the group chat I think it explains how to do everything that we that I think that we want to do, and nobody has said: hey I, don't think you can do XYZ feature or this such and such interaction Works. uh If you, if you do it this way. Finally, the pre-authorization rules they they might not be just for a specific user.

N

They could be for like a department or an entire domain name right, um and so we're we're, not it having the the possibility that someone could go and inspect that possibly using some separate user interface. That would be useful, but these features already exist now, where people who are not on the roster can join, uh because by virtue of the fact that they're in a particular domain or they're in somebody's contact list or what have you or they used a join link that they had um and so rosters can change quickly.

N

And if you want to con, if you want a client, that's going to inform you every time the roster changes. If you were about, if you started composing before you sent that's a feature that doesn't exist in any client at the moment, but it's a valuable feature. But we can't base our base, our protocol and our terminology on a feature that we would like to have that doesn't exist. Yet.

A

Yeah, I guess um I, don't know if this agrees with what you were saying or if it disagrees with it, but the part from what Jonathan said that I thought was very useful and and to Ecker is to sort of like match the the protocol support to The Entity that needs to act on it so, like I, do think. It's probably the case and I'm happy for people to disagree that, like I, really don't care.

A

If I'm in a group chat with with a bunch of other people, I, don't care how many other, how many clients they have or like when they switch clients and potentially I, don't care when they get rid of all their clients either.

A

um What I care about I think as Jonathan was saying, is like whether they can read the messages or not, so that might just be useful as a demarcation point of like what are we signaling to which uh like at which level based on who's, going to actually act on the information, that's being signaled.

A

um My question is: if we, if we think about this pre-authorization state is, if you can only put yourself into it or if it's possible for anybody else to put you into it I.E. Obviously we want it to be possible for others to be able to kick you out of the MLS group, including other users and possibly other servers.

A

But is it only the case that you put yourself into this pre-authorization state by not having clients in the room.

N

Alyssa, did you want me to answer the question or wait until my turn.

A

um You or Richard.

D

A

Or you can somebody.

N

Else could add you to the three off list.

N

There are a bunch of use cases for that.

A

Why would they do that? Can you can you just give one or two.

N

um I went to go and add, uh add a user, but they didn't have any, um but their server was down and so I couldn't get their key packages and then I know that I'm going offline for a couple weeks, but I want them to be able to participate in the discussion. So I add that user from that other domain, that's offline to my pre-authorization list for the for the room that I'm the admin of and then when they come online uh they can join without without further.

N

You know, um I could also say that joining via links is is sort of a use case of this in the generic sense.

D

N

That's a very common joining. You know it's a very common way to join.

A

Okay, that's helpful. Yeah I was thinking of the other way around like if I'm in the group and I get reduced to the pre-authorization state, there's no equivalent of like kick or ban just down to this state.

A

There's no like policy.

D

A

All the things you would take to put somebody into this thing, yeah exactly.

A

Okay, that's helpful thanks, I think Mallory is next.

L

Okay, um yeah I, just before we move off of this and go into the discovery, discussion I just wanted to point out something. That's still um maybe bugging me is the right word about the Assumption of this architecture, where there is a host of a group because I'm not I'm, not sure that is the only choice, but it is the only choice, we're talking about and I'm starting the more we talk about the more I'm seeing flaws of it and um so I'm, certainly questioning that assumption.

L

I, obviously, don't have an alternative necessarily to present right now, um but I don't think we should necessarily take it as a foregone conclusion that this is the right direction um and I would just make one really I guess practical, and so maybe not that important point, which is as far as the interoperability requirements of legislation like the digital markets act like group chats, are a known, hard problem and they're, not really it's not actually required for quite a long time.

L

So, if, if folks that are going to be implementing something sooner rather than later, they're just implementing something between two people and to and I know that we've identified that a group of one is still a room or a group of two is still room, and then a group of you know, n plus, whatever is still a room. um It is definitely Overkill when we talk about all these different features and all these different which I agree with Rowan, do not need to be defined by Mimi.

L

The features do not need to be defined, um but then all the back end that would be ostensibly supporting. That is pretty heavy for a two-person encrypted conversation. That's it.

F

J

Should I go next.

A

Yep, please go.

J

Ahead, um yeah, just a quick thing about uh I- think it's useful for us to be able to track room membership separate from client membership and kind of keep that as a roster um I, think there's kind of a lot of useful implications from it from that's, not just for your user at first perspective, but I think you know, even though we're not thinking too much about it, but from a transitional perspective that will make it a lot easier. For you know, people to.

F

Move up and to be able to kind of get into our velocity, so just something to kind of just keep in mind as we go through about this.

D

Okay, go ahead.

I

Thanks um so the thing that is confusing me now on this is the we seem to be getting to the same energy result, whether it's a user whose state is flip-flopping um between being a pre-auth user versus a participant user, um or if you just have a roster item of the user on it. It has zero or more than zero devices.

I

And it's really not clear to me why it's better to have a strangeness where the states of the user is even managed by the roster, presumably if they're pre-offed and then, if they've got MLS devices, it's managed by MLS, and then they log out with their MLS devices and they pop back to being managed by the roster rather than just having the user managed by the roster and the devices managed by the MLS group. This question goes to run.

N

Hi um so I guess, first of all, I, don't Envision that once you're pre-authorized that just because you become an active participant that doesn't mean that you need to be removed from a pre-authorization list.

N

So if you're added, you know, you can be both an active participant and pre-authorized. That's there's no like there's no need for you to be not on a pre-authorization list just because you are already an active participant. It's only if you were the only time that you would could not be on a pre-authorization list would be if you were added as like. A temporary uh temporary user. That was supposed to have an ephemeral connection.

I

Would you flag the pre-authorized users as different um based on whether they've been invited into the room or whether they happen to be a user who is already participating in the room but doesn't have any devices I.

N

I wouldn't make the distinction there I think really. It would only be if I had a type of you know of invitation, link or joining link. That was intended for an ephemeral. You know one-time use one time single single client use. Okay,.

I

Although semantically, they are quite different in terms of hey I've tried to pull this user into the room, they haven't participated at all. Yet um they're, you know they're not going to get any scroll back or anything versus.

D

I

User, who was in the room who just happens to be switching devices or something and as some of the I think Conrad was mentioning earlier, um they could collude out of band with another participant in the room, and the social contract would be fine for the participant in the room to share the messages that they missed.

I

Whilst they were away because Samantha clipped, they were part of that conversation and they could have rejoined that conversation at any time so to Jonathan's point where no there's, eventually this race, that any user could suddenly re-pop up with a valid device in the room, and you just don't know when that's going to happen so everything you say you have to say with the knowledge of that person might just spring back to life. Surely that's.

C

D

I

Difference in montic state to end vote.

N

But but I think that the difference there is that if it's, the policy that you have that you have this collusion, that you'd want to be able to describe that and like, for example, in draft May Mimi group chat. There is a place that describes like logging, history and things like that, and so, if your history is logged, then you then you would know, even if the user isn't, you know, isn't an if, even if a particular user is or is not in a pre-authorized list.

N

The fact that that 10 seconds after you send an incriminating message about about Carol that Alice could go and invite Carol and that she has the ability to go and do that scroll back that that's the thing that's more important, not whether not whether Bob has any active clients. You know whether Bob has listed in the roster or not.

I

N

I'm, not in the roster yeah.

I

So I think you still semantically don't need to distinguish between users who are invited where the policy of the room might may or may not say that it's socially acceptable to gossip messages and scroll back for that invited user between participants. Now we have that Matrix.

I

Today, it's a joint rule, Aviva invited or or shared history for invoices, or something else that basically says whether invited users are allowed to try to get a scroll back or not versus a user which is actively has accepted an invite, has been participating in the room and has disappeared again and I strongly suspect that if we scratch the surface with more examples and edge cases, we'll find the it's almost safer to distinguish.

I

These two states, at which point I, think we're completely isomorphic with the original proposal of having roster track, where the user is in the room or not or invited to the room, and it is the same as your pre-off state and the roster and then completely separately.

I

You've got MLS tracking what devices are in the room, so I think this might just collapse to peer terminology um sort of bike shedding in terms of whether you call these roster users, pre-authorized or invited, or whether they are member room members or whatever words you choose to use for it. I mean anyone feel free to correct me if I'm wrong, but yeah.

E

That that was a conclusion. I was going to try and pull out of this that a list of pre-authorized users uh sounds a lot like what other people were referring to as a as a roster and I realized, I. Think Rowan. You were just using raw Street to refer to the list of MLS the MLS derived list of users, um but I think you.

N

Know as long as we're agrees, encryption protocol derived list of users.

E

Sorry, yes, encryption protocol, Drive list of users, but I think it sounds like like we. We have some commonality in the data structures. We agree like there's a data structure you can derive from the encryption State there's a data structure of pre-authorized or whatever that.

D

E

Managed some other how um and we just need to make sure that, like those things uh were clear about the words we use for those different things, what does that sound like an accurate anyone, have a difficulty with that characterization.

N

So I I um I think the place where I disagree with Matthew here is that um you could, if you have a bunch of specific features, enabled you could uh you could make this? You know make the make a roster collapse. You could make all the the you know these Concepts, that I described collapse into a single roster, um but not everybody, not every client is going to go and support those features, and not every room is going to support scroll back.

N

So in the case where they don't then being able to distinguish that the that a user is going to get your.

N

You know that that, from in my terminology that they're an active participant, I, don't see how you get that information um or how you describe that that state, uh with the with the system that Matthew described.

I

I can try to jump.

D

E

I

E

Raphael, did you want to get in the middle here? Would you like let Matthew go.

M

Ahead, miss you, if you want.

I

um Okay, um thanks Rafael um I mean to clarify I'm I'm wondering if we also were talking about the same thing with roster, so I'll just say that you've got the non-cryptographically linked room state of the conversation and I'm. Assuming that you invite the user you go and put them in that room. State saying this person has been invited just like you might ban them, or even if they've never been associated with the room at all, they then joined they've got clients.

I

They get added to the MLS group everything's great um later on uh and I I guess. At that point you could um change their state in the roster from invited to joined.

I

In fact, that's the only difference, I think in our models that I'm proposing that you do update the roster at that point to say that they have actually accepted the sin vote so that subsequently, as the user runs out to devices or switches device or whatever, they don't get mistaken for being an invited user and that you just semantically differentiate between people, who've been invited and haven't joined versus those who have joined that happen to have run out of devices. I think that is the only difference in the shape of our approach.

I

I, don't see any disadvantage um to tracking that membership in two places effectively the at the control level or the room control level they accepted an invite is a useful thing to know, and it's just totally semantically different to the idea that they happen to currently have a bunch of encrypted devices. Hopefully that clarifies or we're just talking past each other.

N

I'll save my comments for after Raphael, okay.

M

um Yeah I think I agree with you that it can be isomorphic, but there is one important prerequisite, and that is that we don't have an un like a cryptographically unlinked lists of whatever we call it. Pre-Authorized users Etc.

M

If we can have that list as part of an MLs extension like a group context, extension or something that has equivalent security guarantees to that, then it becomes sort of changeable uh in a way. Because then the the only distinguishing factor is whether or not um a user can read messages and- and that has to do with two things were unset that already it has to do with the fact that whether a user has a device in the MLS group or whether they're scroll back.

M

So those are the two things that are going to determine that. But then we would have the same level of control across this aggregated roster that we typically also have by just having an MLs group. But but we should at all cost avoid a situation where we have unlinked States and what the the source of Truth lies outside of of this combination of MLS group and and previous authorized users.

E

Okay, let's see Rowan and Matthew in the queue um I don't know if those are left over from last summer, if you guys have another round.

N

um So I I was just going to say to Matthew um that I I covered I covered all of the join scenarios that I could think of in draft May. Mimi group chat.

N

um So if you, if you don't like the pre-authorization proposal and want to convince me that we should go and use you know a roster with some attributes, then I would just say you know in a couple of bullet points, if you could go through the each of the use cases that I described in group, chat and say I would make these I. This was what would happen to the roster, or this is how I would do this.

N

um That would be useful and then also uh to describe when under what circumstances, we would need to go and send some MLS messages so that we could have this MLS agreement in the MLS case. For um for for whatever that, the roster is, or you know, any changes to the roster.

N

Does that sound good yep sounds good cool.

E

O

Yeah, so I just wanted to follow up on this sort of source of Truth comic, because I think that's actually the core issue I think we're con we're making we're using terminology and pretending it's a terminology problem. This isn't a terminology problem, it's a it's a pretty fundamental design, question on! What's the source of truth right whenever you have two lists somewhere or two pieces of data, you know. If you want consistency, you need to Define one of them as a source of Truth and so I think. There's two design decisions we can make right.

O

One is that the source of Truth is this notion of this list, which I'm just gonna for call it a roster for a moment here. Call whatever you want, but I'm gonna use. The word roster for this for just a moment call out a roster. The source of Truth is what the Hub maintains and that bounds the lmls membership right.

O

So that's one view um and- uh and it basically serves as a umbrella for the authorization decisions that the clients would make when discernmenting, whether or not they're going to accept, except, for example, um an external commit right.

O

The so that's the source of Truth is the Hub driven by Mimi and the proprietary protocols inside of a of a um a provider that we can't see and then and then the other world view is the opposite, which is that no, no, the MLS group membership is the source of truth and the Hub is basically storing a like summary version of it. um I think we should decide which of those worldviews we're following um and then the terminology can come from.

N

uh I was just going to say if it's okay.

A

To try to wrap this up um I feel like we kind of beat this one to a pulp Richard. Would you like to summarize what you think we landed and then I'll say a few things.

E

I I think I may have to go through the notes in the audio recording but I as I was saying a minute ago, I think to first order, I think the the that sounds like there's some agreement that, like we do have these two independent things to the jdr's part I, might need to find some ways to give one priority or the other. But there are two track things: this list of users derived from the internet, encryption State and a list of policy users, pre-authorized users or, however, we're going to call them.

E

So we've got some terminology work to do in the design to figure this out, but like at least we know what we're talking about now, at least a first order. um The invite I think we may need to do another iteration on this discussion invites and in the exact run process, but that's something we can handle and design team, um but I I think we've got the first level of Concepts. Now we can kind of take it to the design team and do the next level.

E

um Okay, that's that's all the content. So if we can skip past the next slide, I've got just like one little wrap-up slide that says we're gonna go, do um bring your decent stuff. um I! Think that um aligning you know that taxonomy of exactly what the state is and how we maintained it was basically the last big architectural question.

E

We had I'm sure there will be more kind of design, questions that come up with the next couple errors, but this kind of transport e to e control policy, control, message, forwarding message, format, I think that's kind of the constellation of protocols. We've got going in the sort of relationships to one another we discussed here um so like I, said the top I think we're about on track to have something in place in September. We just need to um get our real story on going that and we'll um discuss further in the design team.

E

So thank you uh thanks. Thanks everyone for attending and contributing it was super helpful to have some so run these ideas we've been discussing the design team, that's a larger group and get some some broader feedback um and it'll be useful and getting extra pleasure and getting.

A

Some useful products from working here awesome.

A

Thank you thanks, Richard for um for sharpening us through that and to the design team for all the work that you all put in. um Obviously, we uh crushed our agenda today, so um apologies to the all of the discovery requirements. Presenters, um definitely really appreciate the work that you put into your drafts.

A

This gives people a little bit more time to read them um I think we will dedicate the entirety of the next interim, which will be coming up in a couple of weeks to Discovery requirements, because the design team will still be busy working at that point. um So we'll take the parts of the agenda that we missed today and shift them forward to um to the next interim and then we'll come back at the end of September to the to the design team.

A

um I just put again the doodle Poll for the September into rooms into the into the chat. It's also on the mailing list. um I think Tim and I will look tomorrow morning, Eastern time at the results and and do the scheduling.

A

So if you want to be there- and you haven't filled it in yet, please um fill that in uh tonight or tomorrow morning early and um had one other thing that I was going to remind people of and I completely forgot what it is so uh oh I know um I also I did hear from some of our European folks that uh this this is a tough time for interims and definitely appreciate that I think for the next round in October, um we'll we'll solicit some earlier times.

A

um It would be great to find a recurring time. uh So I don't know if people think that's feasible, but I'd love to stop doodling and just say every other week. We meet at this time on this day, um but I don't think it should be necessarily this particular time of day that we did this time because it's so late in Europe.

A

um So anyway, if anybody has thoughts about that feel free to email, the chairs or the list and we'll take that into consideration for future scheduling. Mallory did you have something.

L

Well, yeah, it was just quickly a question to the design team if that, obviously this is the work you're doing under this assumed architecture, um but then, if the chair's perspective is that is set or if there are options to reconsider different architectures, what would that look like? Is it spinning up another design, team or just coming up with a competing draft?

L

um But maybe it's more? It's not a question. I need to answer to right now, but maybe just a question to the design team. If you can I think consider different assumptions, that's it.

A

um I mean I'll just give my perspective and Richard. You can jump in, but I think from the working group's perspective like it's not like an official design team they're, not working on working group um documents right they're, just like having pre-discussion and writing individual drafts.

A

So for sure, like, as these things come into the working group discussion, um everything is Up, For Debate and um we haven't you know, maybe when we get to time for doing calls for adoption and calls working with last call and all those things like there's many additional opportunities, so um I don't think anything is really set in stone. At this point.

E

This is not a group working on working group deliverables. At this point, um though, the idea of the design team is to design something that is accessible to the working group, and so, if you have thoughts on what would be if something different would be except more acceptable to working group, I think we'd be about security.

A

And we should definitely have a discussion on the list. um In the meantime, too, people want to keep it up in between the interims, as always, Tim or anybody else have anything before.

F

K

A

Okay, great thanks. Everybody see you next time.