Internet Engineering Task Force Interim Meetings, 28 Sep 2023

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF-MIMI-20230928-1900

Description

MIMI interim meeting session
2023/09/28 1900

https://datatracker.ietf.org/group/mimi/meetings/

A

Welcome back to Mimi, um we have a small group at the top of the hour I think we should give people one to two more minutes.

B

A

Up well, while we wait, you could think about being our Note Taker today, because we're going to need one I'm going to ask really soon for a notaker, but not yet so you can consider it. While we.

C

C

B

Audio input test.

C

Okay looks like it.

B

A

Way it was Audible, but at least on my end it um it didn't sound.

C

Great, let me test.

B

Again, here is that any.

A

Better, at least to me, it sounds like the gain on your mic is low or something but I can hear you.

D

It's coming in fun for me.

B

D

I'll do the.

A

All right think we should go ahead and kick off sorry go ahead. Comrade.

E

No worri, just wondering like just so: we don't have F later with mic, just wanted to figure out if it works, seems to work.

A

Yep sounds good: okay, we're going to go ahead and kick off. Welcome back to Mimi, um here's the not well it governs our meeting today and uh references all of the itf's policies, including IPR code of conduct and other things. So um please take a look if you're not familiar and um stick with the policies as I previewed I would be asking for a note taker. Would anybody be willing to take notes.

D

Today, um I can do it if no one's um standing up stepping up.

A

Thank you, Matthew, um and if you can do it in the pad, that would be great.

D

I sure try to find the pad.

A

It is uh linked, it's got called the note taking tool, it's one of your icons at the.

F

Top okay, that was very easy.

A

Thank you, um so here's our agenda for today it's um it's design team day, so we will turn it over to uh Richard, Conrad and Travis to uh present the five draft five draft. Yes, um that have come out of the design team's work. um They have kind of 60 Minutes of presentation prepared and then we'll have uh lots of time for discussion as well. So that's the plan for today. Does anybody want to bash the.

A

Agenda: okay, Richard over to.

A

C

A

A

Are you running the.

B

A

C

Can uh let me see if I can find the right buttons to click to.

C

Share okay, I requested.

B

C

Share I: don't don't see an option for the content slides in the me EO slideshow thing, so perhaps I will go grab. The original thing and screen share sorry stand by one.

C

G

F

G

Happened is that the protocol deck slides, possibly came in too late for the data tracker to be EO sync to go through quite.

B

G

I added yeah I did add them the data tracker but they're not showing up amongst the preloaded slides. Sorry.

D

About that yeah I screen share.

C

Yeah just Center reest, for it so I think you might have to grant that.

C

C

C

C

Tim I'm going to request one more time if you could just grant that.

C

C

um Sorry I'm having to.

A

Tim, do you want to try it.

G

Yeah I'm goodna in a minute just just.

C

Give I probably smooth this out a little bit.

G

Okay, hang on while I click, some buttons.

C

You I think that may have.

G

Worked, do you want to try requesting screen share again then.

G

I'm not sure what you meant when you said that might have worked.

C

Sorry I think I I may have shared after you Rive permission. um If you have a way to to share I think that would work a little bit better. What I thought was going to be possible here is not looking great. Okay, give me a sec, some bad interaction of Meo and.

C

F

Thing we have such.

C

A capacious time slot.

H

I think we'll fill.

G

It I might be in the same, bind as you with respect to Firefox no longer wanting to pop a dialogue. One.

H

Sec is it showing some info bar? That's like I want to show a dialogue, but it won't. Let me.

C

No, it gives me the uh share screen, select the window to share thing, but it doesn't show anything. But the current window sounds like a bug so like I can share a tab in the current window right, but then I can't see the meat Echo.

H

Screen yeah, if you, if you, if you see something, say something there sure file by see something file, something.

C

Yeah to remember my bugzilla password all right, that's looking pretty good from from email.

B

F

Innovation Way Richard.

C

All right so cool, um so this is going to be an update from the design team on um kind of the documents we sent around and some uh further discussion that happened among the design team after we got those out, so I would consider as as we're going through this consider the the documents kind of a snapshot of where we were like a week and a half ago, and we've had some substantive discussion after that. That's reflected in the slides and in the discussion portion after we can.

C

um We can discuss you, know kind of where to go in terms of revving the documents uh or adoption, or what have you so next slide? If you could scroll down please Tim. um The plan for this first chunk of time is to kind of walk through where we've gotten from a design point of view, um we'll start from the top, as usual, um reviewing architectural, Concepts and kind of map.

C

How the current documents reflect that that architecture and uh I I'll walk through those two two bullet points and then uh Travis and Conrad I'll pass over to. um They have worked through kind of how some example scenar some you very basic example. Scenarios work in this framework we're we're arriving at um with the idea that you could. um The documents as they exist are pretty close to being a able to implement these scenarios.

C

um So the idea is to kind of give folks an idea of how the various bits in the documents fits together to actually do uh messaging stuff. So that's the plan and then at at the end, we've got a bunch of time for discussion um discussion both you know substantive, and you know what people think about the actual architecture here and and procedurally what we should do about documents and adoption. um So with that I think we can dive.

C

In next slide, please, so this is just interstitial.

D

C

Architecture, so we published updated, Mimi Arch doc very lightly, updated to reflect a couple of new agreements in the working group, um but so we'll start from the top here and should it'll get more interesting. It goes along next slide.

C

Please this picture should be familiar right now, it's unmodified since, uh since the ITF meeting this is our classic client server to server to server to client architecture. Where um you know the Mimi scope. Is this room uh that spans several servers and then things between clients and servers are are within the provider domain? Next.

C

Slide this is also I, think unchanged since last time. So just to remind folks that you we have this concept that each room is hosted on a hub server um for now we're assuming that Hub server is constant over time that the room always lives in a single place. um There is a of Hub portability that that has been discussed, but I think we're we're puning, that for now and assuming the Hub is constant for the moment.

C

um The notion of this Hub is that all of the communications related to a room go through this Hub. um So if server, a uh and server B need server a needs to get some information from server B in the context of a room on server C server a sends that request via server c, not direct to server B.

C

This is to accommodate you know, lack of full mesh connectivity in the server infrastructure, um but the premise is: if you're involved in a room, then you got to be talking to the hub, and so routing through the Hub is, is a safe way to to Route stuff next slide.

C

Please all right so so this is the first one with some new content um on the last call. You'll recall that we had some disagreement over this term member um and whether that um you know should be used for clients or users um or what have you um and we've got a little.

D

Clear on this, so as.

C

Before the unit of functionality we have here is a room, um a room. In addition, you know room has messages that go by. Of course, I didn't just kind of left implicit here, um the remainder of the information of the room about a room. We call the state. um So that's all the stuff that doesn't. This relates to the you know the what a room is um how it works is not all all the messaging stuff happening inside the room, um and so there's a few. You components that we have.

C

You know in mind right now, for that state, an authorization policy that says things like what users can do, how people can join um a list of users who are participants in the room. The participant list will use that phrase going out forward and an MLs group attached to that group. So some end to encryption State, um including uh part of that state, a list of the clients, the specific devices who are members of that group, so we', we've established kind of parallel terminology, so the word member is is relates to client.

C

So a client is a member of an MLs group and then at the user level a user is a participant in a room, so we have MLS e to e level terminology. We have Mimi user level, terminology clients, members of a group users, participants in a room. So there's there's two kind of lists of things here.

C

You know the MLS group will have a list of members and the room will have a list of participants and we'll talk a in a little bit more detail about those in just a second once you have this uh distinction between users and clients. There's a question of you know whether a user um this this distinction allows for users who have no clients join to the room who clients who are not members of the MLS group.

C

Sorry, a user who is a participant in the room may have no clients that are members of the corresponding MLS group. um So that means we need to distinguish two types of users: users who are who do have MLS clients in in the group or uh users who don't and the terminology we've landed on. There is active or inactive, so a participant in the room that has clients joined is active because they can do everything they're part they have all the all the state they need to participate in the room uh in in arbitrary ways.

C

um Someone who doesn't have clients joined is called inactive because they're going to be more constrained in how they can participate. Yeah.

H

Eric, so this is a probably way too tactical question, but um suppose that we have a situation where I am a an inactive member of the group, and someone sends um someone sends me a welcome and a key package, but I have sorry I, welcome, message um and uh and and join for the group, but I have not yet confirmed, am I, active or inactive, so so.

D

I understand MLS.

H

Mls states where I can be receiving messages, but I haven't confirmed that I haven't changed the KE material.

C

I

um I would say in your example that that was active.

C

I

H

At the moment, but.

C

H

Not specification because I haven't confirmed.

C

Well, well, pause a second when, when the the welcome is generated or sorry when a a welcome is only generated in pairing with a commit right, so there's I, some member of the group issues a commit that adds you to the group and in that in parallel causes a welcome to be created that your client can use to initialize itself.

H

Right agree, but my point is that I have not taken any activity to make that happen. Correct and.

C

As I understand the way the mspc.

H

Is written that is not considered a member of the.

C

Group well at the moment, in the epoch that commit initiates. Your client is a member of the MLS group. So as when that commit is accepted by the you by the room by the clients in the in the in the uh in the room, then your client will be part of the MLS group and you will be an active user, so yeah a user can be activated without any action on their own. Besides, providing that key.

H

Package: okay, we maybe we this offline.

C

Yeah um I mean that that touches on the the question of consent you know under under what circumstances can Eric be added to a room or Eric's clients be uh added to a room um which I think we we have not dived into a whole lot, um in particular fun in the um in the examples we've got here today, um but it's a it's a question. It's a good question we'll need to to work out the nuances of that as we go last thing.

C

I want to touch on in this slide is that in earlier discussions we talked about something called a policy envelope um that I think is a little ambiguous in in I. Think we need some more refinement around that we um need to you. The policy envelope, I think with the idea when we talked about it before was a thing that the Hub would specify that were uh the immutable uh parts of the or the the bounds on these set of acceptable authorization policies uh for a room.

C

um You know the stuff I think we have right now, talks about the policies themselves and we may need to to revisit this notion of a policy envelope um instead of acceptable policies, um so just flagging. That is something that needs some further work next slide.

C

Please I thought it would be useful to visualize this actually I'm borrowing from um some some visualization that Travis put together and Conrad um right. So this is just visualizing. The state of the room, um starting from the right is the most concrete thing you know the MLS group is the set of clients that have um have the keys for the end encryption of the room. um There's an assumption.

C

I think we've been making along that I meant to document these slides that I forgot to that each client in based on their representation in the MLS group. From from that representation, it is possible to infer which user a client uh belongs to, and so that there's actually a mapping between these clients, which I've implied with the numbers but meant to put lines, um should have Drawn Lines um to um so that there's a mapping between those clients in the MLS group and the and the participants in the participant list.

C

As you can see in the participant lists uh user, one we've got three users who are are are possibly participating or participants that have a relationship with the room uh user, one and user two have clients, joined and so they're active user three doesn't, and so they are inactive. But all three of those are you because they're in the participant list, they can be subject to you, they're part of the room, and so they can be part of the the policy structure of the room.

C

um The room can have a notion of what capabilities each user has, um and so they can say that user one is, is an admin or user. Two is a moderator um Etc, um and the policy document also CT captures things like the admission policy, how it's possible to join and other kind of authorization. Things like that. So we split out this this structure, because what we're actually going to build protocols um kind of in parallel to manage the different bits of this next.

B

C

Please so one of the consequences, though, of splitting out the room State like this and building independent protocols to manage the different bits of State. um You know the benefit of having separate protocols is that each protocol can do what it's good at. So MLS is good at managing a cryptographic. You know some group cryptographic State, not so good at managing authorization policy, so we have separate. You know horses for courses uh for the different bits of State.

C

The downside of having separate management of these things is that those things can get uh disconnected um that you could have INF princi principle, a participant list that was inconsistent with the MLS group. So, in addition to doing splitting things out and managing things being able to manage each thing independently, we need to Define what uh how these things interlock with each other a little bit- um and this was a point of of some discussion in the group but I- think we'. We've aligned pretty well on this.

C

This kind of preemption rule as I've put it here, that there is a kind of hierarchy to these bits of State um that the authorization policy is is what governs who can be a participants.

C

um You know- and you know, among whatever else the the authorization policy governs and then the participant list acts as a boundary on the MLS group, so um in particular the the MLS group is kind of a subject of the participant list in the fact in that you can only have a client in the MLS group if you have part, if you're a participant in in the room right, so each client in the MLS group, the user of that client needs to be a participant in the participant list, um and obviously this has some implications for order of operations that we'll touch on in a couple slides.

C

The next uh thing to talk about next slide.

C

Please um one of the concepts that came comes out of using MLS that came out of the kind of DS sphere. Is this idea of confirmation, um so we're kind of pulling this out of the the MDS work and and, and you know, abstracting and fully get into this architecture?

C

um One of the things you'd like to assure about this room state is that everyone involved in the room has the same view of the state. So all the clients and all the servers have the same view of the room state. Now, that's you know. As with anything that can change it's, there might be some some time lag in in this confirmation, but the goal is to keep this. You know to confirm that we all agree um with some Fidelity to you, some proximity to the uh changes that happen in in the group.

C

So the the way uh you know the mechanism proposed here is to to use the MLS key schedule as a confirmation mechanism. So, um in case folks are familiar need a reminder if you inject a value into the MLS key schedule, that value gets hashed into the state of the MLS group and thus into the all of the keys that the uh the clients use, which means, if you, if you disagree on this value, that you hashed into the key schedule, then you can't communicate your keys, will all be different.

C

So the the concept for confirmation here is to take the whole room State, including the you, the MLS State, already goes in by virtue of MLS, but to also take the authorization policy in the participant list and hash those into the MLS uh key schedule, so that um you know, in order for the group to continue functioning. Everyone has to this have the same view um now functionally how how I think we expect this to work.

C

Is that you we have some group context extension using some existing stuff in MLS extensibility points um and then each commit that is made to update the MLS group to reflect new changes to the room State. You know if a user joins and we want to add some clients for them. uh Each commit you know will uh be enforced by The Hub to reflect the current room state so that will'll have to carry one of these extensions that um updates the the MLS confirm state to match the current room State.

C

um The way I've drawn the blue arrows here is perhaps a little confusing. What I mean there is that you know the MLS group will have some extension. That you know is a hash of the rest of the room State, and so that will confirm- or you know, vet via MLS, the participant list and authorization policy, so the MLS state, if you agree on the MLS state, that means you agree on the participant list and you agree on the authorization policy.

C

So again, this is another thing that will require a little bit of specific order of operations, because, if you're going to require reasonably fresh confirmation, then you need to do some commits uh to keep fresh the confirmation fresh as you make changes through next.

H

C

H

Yeah, oh sorry, yeah I'm justos want to make sure I understand this slide, so um these arrows really meet so the arrows on the top mean information flows, the red arrows mean information flows downward and the arrows in the bottom mean look over here because I'm incorporating that data into myself right. So actually the information is always flowing downward.

C

Right, uh yeah, I think think: that's that's a fun way to think about it. Yeah, okay, great you well I mean it's a little bit circular in the in the sense that the authorization policy governs the participant list which governs the MLS group. But then the MLS group confirms uh you know this. This hash, that's in the MLS group confirms that uh what the authorization policy participant was were the last time we made an update.

H

No I I I it points to them. I guess is my point: it doesn't it doesn't it's not reincorporated, so if so so, there's no, so not there's no MLS message which you would send, which would change the authorization policy that' be on some other layer. Even.

B

If they were some.

H

Yeah yeah the control flow.

C

Left to right, um yeah, the confirmation is, is right to left perfect. Thank you.

C

Okay, all right next slide.

C

Please yeah so order of operations, so these invariant on the last couple slides. You know they're useful in terms of clarifying um what we mean, but um they have some implications for How We, Do Stuff um in particular. If you think about, joins and leaves uh things that are going to touch both the participant list and the MLS group um you have, they have to be done in a particular order.

C

So when I'm, adding echer to the room right, I, I'm, I'm gonna want to add eer as a user and some of ecker's devices, and so, if we're going to have this preemption order in the um you know, as the the kind of orange arrows indicate, then I need to make sure that eer is added to the participant lists before I. Add his clients, because if I try, if the ad, if the MLS ad shows up first, that you echer won't be in the participant list and that commit will get rejected.

C

So you know we need need to do ads at the participant list, level first and then at the MOs level, and then, when I'm, removing echer from the room. It's the reverse. So I need to make sure all of ecker's clients are removed before eer can be removed from the participant list, because, if I remove him from the participant list before his devices are gone, then he's actually not he's kind of still a participant because he can still get access by those devices. So the idea is to have the participant list reflects.

C

You know the people who have some chance of of getting this stuff um and have the ml group, be, you know no larger than the particip list, and so we have to do these operations in that order. To maintain that invariant.

B

Yeah eer is this a new comment.

C

H

Hand right so um so I me, this is definitely one way to design the system um uh but and and I'm not I'm, not saying that I think there's that the other way is better. But let me FL another way just to so, we make sure we've considered it properly so another way.

H

Another way to design the system would be um that some, some EXT imagine some external party which a participant list right, orol, otherization policy- and um you know the the um you know the operator of the messaging service and it says well: I'm kicking Richard out of out of the thing right and it's it h, a participant list, and then that triggers some member of the group to um to to uh to to says well members of the group, the first person to see this ought to do an MLs, an MLs.

H

You know commit to the group right, I'm, not I'm, not sure. That's a good design. I just want to point that that that's not an alternative and I think it be worth talking about. Why why you rejected that?

H

um um um And and if I just say, one more thing, which is one might imagine that there were um and and I of course, I'm like team MLS, so I'm have to only work with MLS, which has this functionality, but might imagine there were there were there were cryptographic, know protocols which should not have a meth mechanism for an external party to evict someone from the group.

H

um uh Do you even propose it right, um and um this relies on there being like an MLs mechanism that says I who I person who's, not in the group proos to throw which out of the group right and um and when imagine there protocols didn't have that property, in which case it's not clear what you would do.

C

Well, you can you can only do that non- cryptographically right, you could.

H

B

C

B

Just a message.

F

Just you know message.

C

Authenticated from the server that says, you know, dear dear client, please if I.

H

Yeah you're both on you, both on top of them the thing yeah I, don't feel strongly with this and I think this a reasonable design I'm just like trying to think trying to explore the space.

C

Yeah and I'll let row talking second but I. Think that the what I think the design team thought about that some I think the thinking was that it would be clearer rather than proactively, removing from the participant list. While that request was pending to remove the devices to instead keep them on the participant list, but maybe annotate it as being in an exiting state or something and.

B

C

Actually remove once the devices are removed but ran. Do you have some further thoughts here.

I

uh Yeah, so um that that's exactly what Richard described is exactly what I proposed, um but the I wanted to to comment specifically on the you know, to MLS or not to MLS, so what we described.

I

The compromise that we came to was that there is, you know, basically, a Lego block of stuff that manipulates State and the endend encryption and in the case of MLS, the MLS chunk that you know the the end to end encryption has a bunch of stuff which also manipulate State, and so the set of things that you need that are outside of mLs are, you know, are fairly small and possibly could be made to be zero. um If you did this with double ratchet or some other protocol, then the Lego block still has the same.

I

The the same boundaries and the Lego block includes something that goes, and you know basically does an encryption of of sessions and things that in in some some other stuff that manages the state of your. You know, in this case your mapping of the participant list to specific sessions. So you can totally do this with another protocol if you want to, but that's not in our Charter, but we have made, you know we have we. We have been striving to make sure that that is that. That is possible and you know, doesn't blow your head.

C

Up and that's an excellent transition to the next slide. Sorry I: could you go ahead.

H

Well, yeah. Maybe this is the next slide, but I think like there really is a group decision he made, which is. Do we assume that the outer Contours of what is required in this Lego block are effective, what MLS provides and that anyone else like has to figure it out on their own and we're not going to help basically, um which is basically cied with TLS right? um It's like quick was basically designed to have a hole, a TS shaped hole and it was like your responsibility.

H

You want else in there to put it in there I a f decision I, it's in fact appropriate decision, but I just want to call out that's a decision. We should really explosively make.

C

Yeah um yeah, so can we go to the next slide? Please, because that is my Lego bricks slide for what it's worth. I looked up, the I checked the official terminology that Lego company I prefers, and it's bricks, apparently is the not blocks. Is the official name also found the uh the atmology of Lego at the bottom, which is about playing well, which I thought was a very appropriate.

C

uh You know you know admonishment uh for for folks in the ITF to play well together, um but this is kind of the Lego brick uh model that that design team has been referring to in our discussions um in terms of what protocols need to exist to make this go, um and this is this is a bit in the architecture document, but I think this. This diagram probably needs to get import into that document in the next draph.

C

um So right, at the base of of all this, we have some transport that ships messages around between servers. um It's pretty lightweight at this point. It's it's just a framing thing, um then, in these blue blocks, well, I'll I'll cover the right hand first, because that's the simplest thing.

C

So there's there's some messaging forwarding protocol that just like bans, things out as would expect bans and and encrypted things out, I that end to end somehow touches that the message sits between the message, format and the forwarding, but that was inconvenient to draw so I didn't draw it over there, but the the.

F

Presumption is that messages.

C

The thing things that are in the message format are carried in some inst end and capsulation and then delivered over some forwarding protocol. um The interesting bits here, the parts that, if you've been following the last few slides, are these. These blue blocks um for the different protocols that manage the different groups of State attached to a room. So, like Rowan said we have this end to end thing which is managing in you know: ietf Mimi, MLS, group um and I think echer. uh The way echer framed is is accurate.

C

uh Is it corresponds to the way the design team has been thinking about this? This is an MLs shaped hole, um and if you want to do this with some other protocol, it's up to you uh to figure out how, to you know, add whatever filigrees you need to to make your thing. uh Do the things MLS does so like confirmation, um that's that sort of hashing into the key schedule doesn't exist in a lot of other protocols. So if you wanted that um security benefit, you might have to do that.

C

um As an aside, I might say that, like a lot of things that MLS does, you could do non- cryptographically and get lower security properties. So it wouldn't be surprising if folks, coming to this with a different protocol, did things like proposals, but without some of the um you know, confirmation security properties that that MLS gives you um so anyway, we've got an endtoend block which manages the cryptographic state, uh the endtoend uh security Keys. um We have a policy layer.

C

Sorry I've put these in a different order than the state bits on the previous slid. That would have been helpful, a policy bit that manages the authorization policy and a signaling bit that manages the participant list. um I've written this gray block with application logic, because that there's going to need to be something in the software implementing this protocol that um ties these things together and ensures those policy. You know those inter we talked about on last last slide.

C

um I think that's not written down in the current documents, except for for the how it's captured in the architecture document. um So speaking of documents, we go to the next slide.

B

A

A

um So when you talk about the MLS shaped hole, do you think the hole only touches that one box, because in reading the drafts it feels like there's actually like quite a bit of interlock between these, like the transport protocol might be designed differently if you weren't using MLS and um so I'm, just curious of like when you say the whole, like which parts of this does the hole extend.

C

To um I I think the aspiration is to I'm just noticing E's comment in the chat, um well, I I think.

A

Mostly this whatever forget about the diagram, but you see what I'm saying is like like yeah, how much of the overall architecture is impacted when you say someone can can do this without MLS, because to me it seems like most of it. So I want to know if I'm wrong, basically.

C

Well, I think the uh the compartmentalization objective here is to is, for it to be like not an inordinate amount of re-engineering to reuse. The policy in signaling and transport bits with a different protocol for the inent security.

B

um Now, if that requires.

C

That you implement some, you know, imagine that that, like the message encapsulation of the transport uh reused, some MLS data structure that.

B

You would get naturally.

C

If you had an MLs stack, but you might have to implement that that data structure with a different thing like that that that may be a little bit of infection. But it's it's not an inordinate amount of work. To add that to your existing ctivity, like like I, was saying a minute ago like no like MLS is a little bit. You know, has a bigger envelope.

C

It's going to leave a bigger hole than most other protocols uh that are of its General shape, and so, if you're, starting off from one of the other protocols, you're going to have to add stuff in order to to do something comparable to MLS.

C

um So yeah there's there's going to be work, even if we, um even if it's just confined to the end, end thing and I, think there's there's bits to touch but I think the objective is to to make them reasonably small and and not in kind of tying. In all of the complexity.

I

Want go through the que Ron yeah, um so I can give my my my version of what I think the answer to that is ala, which is that um you know I kind of imagine the the the Pol the policy Blue Block is independent of protocol and that the end to-end encryption and the signaling um they have um uh they touch each other, but the size of them.

I

You know, basically, they need to be sort of a match pair, but the interfaces that you know the interfaces to the application logic could be the same for um for a pair, a matched pair of MLS, plus MLS related signaling, um compared to a replacement, double ratchet and double ratchet signal related signaling. So those like that those two pairs could have an equivalent uh lower interface and upper interface and then, of course, message forwarding, relies on and dead encryption, so I I. You know three three bricks is my answer: I hope that.

C

Helps: okay, Tim.

G

Okay, so granting that we could design some sort of abstraction over um a specific Eed mechanism um that would allow either like MLS or something like double ratchet, to be used. What does all this mean for interoperability is the idea that participants would have like previously agreed out of band um that they're doing either double ratchet flavored, Mimi or MLS flavored.

C

Mimi for for the ITF, it means nothing. um We are going to make MLS flavored Mimi um and if other people want to vary, that's they're off book and it's up to.

G

Them, okay, so yeah, no expectation, then of like inband negotiation, of which kind of e toe use.

B

C

Thanks and just sorry just to add a little bit on, there I think the object again talking about objectives here, um I and maybe maybe if, if Matthew, wanted to come up and say some stuff about this, but I think the idea is like if folks want to use some drafts here, that um you know they might be able to take up some of the transport or policy or signaling bits that are a little bit more independent before they're, ready to to buy off the whole complexity of that's the idea.

C

It's a theory but I think Matthew has some more thoughts on the in the C, but eer.

H

Yeah I think so I think what I got say. We like largely what you just said a minute ago, not not what you just said, but you said in response to Tim and we like, we are Charter to design something uses MLS and as a as a matter of good design principles.

H

It is useful to like design something where MLS is coupled to the appropriate level, um which is not not at all, coupled and not and not totally intertwined with um you know, with with with the um with the rest of the protocol, and that is a a set, a set of judgments uh um and um and it's not and it's not I I, don't think responsibility as working group to like go to extensive efforts to make that make that removable.

H

But we should but like there's, no need to go to make it not removable either um and so I think when I said, M should told what I meant is we'll design the system assuming MLS is the way it is and we can depend everything MLS does and if, like you know, if you want to build something that is supposed to fit into that hole and you don't want to use MLS, and that is like your responsibility to fill in all the details and, like you know in particular, I, don't think we should write like a document that, like defines an abstract API, that to do it's like you're, just like like like, like you, you know just just drop in it's like not really our problem right and so um um and so and and to um alysa's point I.

H

Think it's entirely appropriate to sort of other part of the document say because this, because this is carry MLS, you can do. We can get away with x, y and z, um and you know, and obviously as I think I mentioned to you earlier. Offline Richard, like you know that, like MLS, somehow like is actually under under in between message for forwarding your message. Format in some unspecified unclear way. So there are, you know there are tendrils of MLS All Over. The system I think that's entirely entirely appropriate because.

B

H

It's it's a basic invariant yeah.

C

Yeah just to extend your quick anal from earlier. If someone made it wanted to make a quick based on wire guard, they'd have to like figure out how to make wire guard look like TLS to the extent.

H

Yeah and people have fact fact: if I've done the specifications I don't know how good they are, um um but it wasn't like an objective or quick to like like go a lot effort to that possible yeah. All.

E

Right: ah okay, now it works the risk of getting a bit technical, but I I, assume that we're going to for for reasons of good practice, we're going to have version in anyway, there's going to be a version, probably at the like first field of of any kind of high level uh struct, and so, if you then want to use abuse or use this to find your own versions somewhere in a field where no version other version will be, then uh you can use that and that essentially gives you the the kind of negoti capability.

E

I

C

The extended Med mute.

C

Button, maybe we lost Matthew all right any case I think we can move on at this point um next SL just.

F

Sorry yeah the mute button literally vanished from the Dom, somehow um so yeah. Well, what comrad said was what I was going to say about agility. Obviously you need version agility in here anyway, and that can be used to describe different dialects of MLS or double ratchet or whatever. It is in terms of the kind of transitional benefits.

F

um I I think there is a real opportunity to be had here by going and making the Lego blocks interchangeable in terms of just practically getting uptake for this protocol right now, people are speaking double ratet and frankly, getting The Gatekeepers comfortable with the idea of using the consistent policy and signaling message.

F

Forwarding and transport modulated bits which do have dependencies on the crypto block um stops the risk of folk implementing their own proprietary vendor specific um apis in the shortterm for dma compliance um or for that matter approach using a different interim solution that then gets um replaced.

F

Well, that hasn't got the traction of something like MiMi, um because because it's seen as a transitional effort, whereas if Mimi can support the transitional use, cases, I think there is a much much higher chance of it actually going through and being adopted by everybody, rather than just through specification pressure, particularly as there isn't regulatory pressure at the moment to talk a Common.

A

Language, so just um just Visa what everybody else in the que just said. Do you feel like what you just said is consistent like like people were talking about there being, you know some dependency, but, like you know, we scope the size of the whole and then like people want to use something else. They use. Something else. Are you advocating for like more decoupling than than what was just discussed.

F

No I think that the proposed decoupling um is sufficient from what I've seen um unless um the gold posts are changing from. Since we last spoke about the specifics on it and I think it's completely reasonable that you need a confirmation mechanism and and MLS gives a great confirmation mechanism. Other ones also exist um like the one we proposed in linearized Matrix. That can also be used to fill that hole, um but I think the strategy of saying look, it's an MLs shaped hole. You got to figure out how to fill the gaps.

F

If your protocol can't fill the gaps, then perhaps it has weaker security properties. Frankly, acts in the interest of both MLS and Mimi by there being a kind of um potential gradient that is dragging people um towards the promised land of MLS, but at least provides a transitional route to do so.

A

C

Yeah, how exactly we achieve that right, right degree of coupling or decoupling has been an appreciable amount of the time that the design team spent discussing so last last slide. I had here is just mapping the documents that we've got now um to these Lego blocks.

C

Just to show that you know hey, we have some some coverage of this uh in the documents um now, unlike actual Lego bricks, um these documents don't fit super nicely together right now, um as you read through them, you'll notice, there's some disconnects in your assumptions um and some disconnects with um what I was what was in the preceding slides, because this reflects some more recent discussion.

C

um So I think the idea of the next section where Travis and con are G to kind of walk through some scenarios is to give an idea of where um you know where We've Ended up as a design team on how things should ought to work. Within this framework, we've been discussing um as as a direction for where these these documents should be headed. All.

H

Right this, like architectural diagram, seems, like you know, modulo, my not intended as a faal statement seems like largely accurate um um I think it should not be used as a guide to which drafts not to exist.

H

Hway law um I spent some time this morning going through those drafts and um why I think there may some reasons why they not F were well, but frankly, it's incredibly difficult to like have like things spaced out so much so it's like this depends on this, and this depends on this and you got to read them and they're. All quas depended so like what so like. I do not think, um given that we have no given there's no intention of like being able to demount all these different blocks.

H

um You know I think we should be trying to consolidate the documents as much as possible, rather have like six individual documents, each three pages, long, which is kind of so um that may part part of the reason why the fit May rough is precisely because the C comwe La effect.

C

Yeah all right.

B

C

That's all I have I was going to pass over to Conrad and Travis to walk through some.

B

J

Sure yeah, um if we can head to the next slide,.

J

Please uh so yeah uh scenario discussions is kind of where we're at as uh rich mentioned in the introduction there. We had um two scenarios kind of laid out here, just to kind of show like what's going on between the documents themselves. uh First, one here being Alice adds Bob second scenario will be Alice leaving uh that group. So if we go to the next slide, we will start to see some assumptions uh so yeah. Here we are assuming that um Bob's service, specific identifier, has already been discovered in some way.

J

So we are pass the point of uh identity. uh We are now strictly into protocol side of things um as well. We're assuming that any consent that Alice needs to add Bob to the to the room has already happened or is implicitly given. um There are multiple layers where uh consent could be asked for or achieved, um but they are they're all granted in this. This sort of aspect here um there's also many other types of join flows, there's just one. This is just one example of many here um and.

B

J

We'll kind of head into the next slide here with all of that as a qualifier, so the very first step is that Alice has to create this actual group or room. This happens outside of Mimi. um They just create it with their provider, uh but it does have all the initial State uh required for Mimi to operate. So this is the participant list. This is the policy.

J

This is the actual MLS group itself um and all that stuff, but Alice does have the optional ability to add all of their MLS uh clients to the group at this point um not strictly required by the protocol, probably a good thing that should happen um but uh yeah it. uh It does happen. So now we're going to head into some uh diagrams here. If we go to the next slide,.

J

So, following that preemptive work or that preemptive U yeah workflow, um that Richard was mentioning uh signaling happens first for lack of a better term, um so first Alice needs to create this signaling event uh to actually invite Bob into the group um or into the room. Rather, uh all of this invite stuff, as mentioned, could just be skipped uh if we use a welcome flow instead, that's another type of way of uh joining, but we're kind of we we're skipping that part and we're covering specifically the invite and then join as separate operations here.

J

So first yeah Alice creates the the invite event for Bob and then next slide.

J

Please uh and then yeah well, Alice has to send that invite to the hub itself and that will um then be start to get fanned out. So if we go to the next slide, we're going to start seeing that the The Hub is establishing that secure connection um between um what is Alice's server, because Alice is the the Hub in this uh scenario and Bob's server.

J

uh And then, if we go to the next Slide, the fan out actually starts to happen, so that invite event uh is now being received by Bob and on the next slide we will see that actual um invite being checked um again. We're assuming the happy path here. So this is where you would check for policy. Support, does Bob server even support. The type of room that is being uh discussed here is the is the policy. Okay is the encryption supported? Is there consent? All of that stuff happens here?

J

We assume that everything is okay uh and move move on to the next slide, where we then have again another implementation, specific uh detail here, where um or outside of Mimi, where Bob server stores that invite and eventually gets it over to Bob through whatever vendor specific API and that sort of stuff. um And then, if we head to the next slide, uh some amount of time will have passed.

J

uh Bob will accept that invite uh and we'll start to create this join um State uh or the signaling State change, so we're still well within signaling here, um MLS or the MLS group only has Alice's clients um in it. um Bob is still in the invite uh State here on the next uh slide that uh join will head back up that secure channel uh from the transport into the Hub and then on the next slide.

J

The uh The Hub will distribute that back out to to all the other servers which currently only includes Alice. So it also goes back to Alice's clients, uh and then we head into the actual MLS bits so I'll hand it off to Conrad. For this, um where I think he'll be able to cover that in a lot lot more detail than I.

E

uh Sure but I think first ran. That was on the the queue.

E

I

uh This doesn't resemble at all what I thought we agreed on in the last couple of calls. um I think what we discussed was that this purple signaling would happen simultaneously with the endend encryption or could happen, or most likely would happen simultaneously and not as a not as uh this happens first and then happen. Second.

E

No good good point I was I was starting to get to that. So um we here, we chose the kind of the external commit based, adding Bob flow, uh where um a lot of non-mls stuff happens before Bob, then kind of inserts uh themselves or inserts themselves into the group uh in the welcome based flow. um The AL will probably send the welcome together with the hey at Bob signaling message.

E

um We, we kind of chose this presentation to uh show kind of the signaling route first and then, if you go to the next slide, um we start seeing uh Bob's server kind of the Hub sending a group info to Bob server, and this could be the Hub could send the group info, along with the Bob invitation, uh signaling message to Bob server. If, if that is if, if, if, if that uh is desired, I guess, um but for now we've kind of modeled it. We we've wanted to show it separately.

E

So this is the the kind of MLS um part at work. Bob needs a group info to join. The group uh note that, like as a small kind of side, the group info has to be current, so while the Hub could send the group info along with the uh signaling message, if Bob is offline for a for for a while, and the group evolves uh in the meantime, but would have to get it a fresh group INF for anyway to join externally.

E

So uh The Hub sends the group info over the transport uh secure transport to Bob server. Then in the next Slide the Bob server forwards it to Bob, um and then you can go straight to the next slide, where Bob does an external commit and uh sends it right back to its own server from there in the next slide.

E

It goes over to the hub, via the transport, sorry for all the scrolling Richard, um where the Hub processes it and forwards it on the next slide, to uh Alice or to I, guess everyone else, who's in the room, um all the other servers um and also uh sorry. Could you.

F

Go to the next.

E

Slide, please uh also, as you can see in the the the room State on the Hub Now Bob's client is actually in the room and um the external commit messages distributed to all the group members. um So right.

B

E

No okay, sorry I thought someone was raising a hand, um okay and I- think that's pretty much. It.

C

Richard, hey con I'm, just kind of following on a bit, so it's a Rowan's question I was wondering if you could comment on where the confirmation happens in this uh process. You've laid out. So what's what point does it get confirmed by the MLS group? That Bob is now a me, a participant in the room.

E

All right, okay, so the moment that the Hub processes, the the signaling message that Bob uh is added as a as a participant, even in the invited State, not even in the confirmed kind of join State.

E

um The Hub would then require that um h, no sorry yeah the Hub would require that the next commit would already uh kind of feature the updated participant list as part of the group state so either that's part of the group State as a group context, extension or inject it as a psk just to make sure that whoever does the next commit agrees on the participant list that this agreement is then uh essentially part it becomes part of the group said Eric.

C

So so in the flow you've laid out here, the Hub would require the external commit that Bob provided would have that confirmation. That Bob is in fact a member which seems a little circular, but I I, don't think is.

E

Actually, uh yeah Eric.

B

E

Right yeah, it sounds right.

H

Okay, yeah so I guess maybe I just don't have it all booted in my head, but I'm like somewhat uncomfortable with this notion that the Hub is doing a bunch of enforcement, MLS inv variance. um That seems like, like maybe that's possible, but that seems like, like I, like none of these documents, had rules anywhere near clear enough to implement a hub in order to do that. As.

D

H

Can tell so like I guess you know I would ask first. Is that really necessary? What happens if we don't do it, um and um um and um in particular,.

B

Second, is.

H

It possible, namely um you know, for instance, is it possible to is it possible for participants to pretend they're meeting the invariance, but not really to meet the invariance um and, if not, and if, if it is possible, then like what is the value of the enforcement um and um and third, how complicated is it to actually specify the rules for what is in fact.

E

Possible yeah all good questions.

H

Give give to one example: I mean um you know, uh you know, um I, add somebody but I, add somebody, but I give them key material, which is bogus. It's like in fact, or not. Member of the group right and and going back to the discussion we had earlier until they've actually responded. Then they're in the some Lial state, where nobody sitation is and the how have enforce that.

E

Right right, I mean the the bogus key material question. That's that's a question for on the MLS level that we that's just unsolved. On the MLS right I mean you can always send bogus.

H

No, no, no right right, but but I guess by by my point, is that the the MLS state in the M right, exactly that's that's part I'm getting at is like is like to what extent what is the Hub verifying the stuff doing like what is the function that Hub verifying stuff is doing in this protocol? What happens if it just doesn't do.

E

H

E

So um for now the Hub is mostly verifying that the participant list is injected into the group state in one way or another, um by whoever, like after the Hub after a signaling event, has reached the Hub and the Hub has uh kind of blessed it and F it out to everyone else. Then it requires that uh kind of it's reflected in the group that, in in my I I like to think of the the signaling messages, as you can Implement them using proposals right.

E

It's just like Fanning out a proposal and then before you you know the next commit has to implement like has to commit to that proposal, and the Hub will not accept any other commits that do not include this proposal and like what we're doing right now to kind of keep the signaling somewhat separate from MLS like for now is that we kind of yeah. We might reinvent some properties of proposals, but um yeah I.

E

Think for all intents and purposes uh you can think of it as a proposal for now, at least in in terms of semantics, I guess I understand is.

H

What what's the functional you told me, you told me we doing technically but I'm asking what's the function of that? Why not just not do.

E

That it's to ensure that everyone agrees who's on who's on the participant list and to avoid these kind of weird splits where someone one group member uh doesn't think Bob is in the group and the other one does think. Bob is in the group and then suddenly Bob joins, and one group member will think that's illegal because Bob's not on the participant list and another group member says: oh that's, fine Bob is on the participant list and so agreement on the participant list is vital to enforce policy.

E

At least that was my understanding, uh not not being uh a signaling expert, I, don't know Travis. If you want to say something or.

C

Richard I I I was gonna uplevel this a little bit note that um at least mechanistically. This is not a crazy ask. So, like the a lot of the reason we have a central Hub to start with is so that it can act as an Arbiter for which commits get applied so provide the sequencing that MLS requires at a base.

C

So the at at the the the base function of a hub from the MLS point of view, is to act as an Arbiter of commits um right if, if Conrad and I send commits at the same time, one of them has to win one of the m to lose.

H

Right but that's right right right, but that's that's a non-adversarial function.

B

H

And so it is an adversarial setting, no.

C

H

Either order would be fine in those situations right, the Hub could say, could compar commit a or commit b or in fact delete both of them right?

H

What I'm trying to understand is like um um how like, like what state of affairs, could you get into where the Hub would be rejecting some set of um some set of messages um as not matching the alleged State um and um and that, and and can you guarantee the Hub canect every single instance of that the situation only some of them and if the answer is no, then then I'm not sure why we're doing it at all.

C

Well, let me uh I think the the high level Point here is like these rules need to get written down in.

H

Docents well I think but I think not just rules. I think.

C

Corresponding you know, justification.

H

Security guarantees is intended to provide yeah what I'm asking for.

C

He con for your benefit, I think that the the Salient counterfactuals look at here is like yeah.

F

C

The Hub were not enforcing C, the the members could still agree um and then what's the difference with that scenario, so I think we just need to drill down on that and get precise on why we need the Hub involved.

E

Good point right, I mean we could have agreement just based on the members, um but that leads can lead to situations where you have a kind of an Insider in the group and and The Insider can send like uh and I mean we have the problem to certain degree with MLS anyway, but The Insider can kind of derail the group by sending an external like sending a commit, that's illegal in the eyes of other clients, but the Hub says you know: I'll, take it whatever and then it regets the EPO forward.

E

And then everyone, like everyone, disagrees with that commit discards it, but the epo's been registered forward and now the hub's in a in a like in a state that the clients are not in and like that's. So we try to do I, guess a lot like as much verification as we can to on the on the hubset. But I I agree that we need to uh write this down formally and and spell out what security guarant these weeks back.

E

Yeah um are you you C again or still.

E

Sorry, okay, um yeah I, think I think this is the end of the first flow Richard. If you could SL uh go to the next slide, oh yeah I mean pretty much so Al and Bob can now Converse and then I think we can I don't know Tris. Do you want to say something more on this slide or or do we want to go to the next.

J

Scenario: uh yeah I mean, after all, the invite stuff happens. Yeah they can, they can finally send messages to each other um and normal Els operations happen. uh It's worth noting that the signaling side of things um so when Bob is in the sort of joined State there uh if Bob adds through their provider another client, uh they can add that to the MLS group without talking to signaling at all, um they can just do that. They can also remove all their clients or one of their clients whatever, um without impacting the the signaling side.

J

All signaling is doing. There is making sure that Bob as a user is at least a joint participant in the group to allow those sorts of operations. um But if we head into the next scenario, we can talk more about like what happens when at the user level somebody wants to actually leave.

J

um Is there anything else that you want to cover Conrad before we? We jump over.

E

uh No go ahead.

J

All right, so, if we head into the the next slide, then um we will have some even more assumptions uh based off of the previous uh discussion there. So in this particular scenario we're building on top of what we just established so there's a room with Alice and Bob in it. There's some clients for, for both um they're able to converse um and Alice's server specifically, is still the Hub for the room um and so on. The next slide we're going to see that Alice actually wants to leave that that.

F

J

um So this starts with a signaling event again um and again like this can also be stapled together. Both the the DS and signaling operations. We've just split them out here for at least visibility purposes, um but there's nothing necessarily constraining it to be separate operations. They could be um at happening at the exact same time here, but yeah, starting with the signaling um Alice, generates a leave event sends that to uh The Hub server or their own server, um and then on the next slide.

J

We again use that um secure Channel um but as as the leave event is being found out, uh The Hub needs to require that all of Alice's devices are actually leaving the uh the the group here, um because Alice has no right to to continue in the MLS group. Now that they're evicting themselves from the uh from the over or the from the the room as a whole.

J

So on the the next um slide here, um I think we had a a minor uh color coding issue um uh or no I'm, just not staying in sync, all right, so yeah so Bob receives the uh the leave event um from from the server that was found out from the Hub and then on. The next slide we start to get into the into the MLS side of things uh for Conrad to.

J

Cover uh you're suddenly mute for.

J

Me I can also try and cover this. If that would help.

B

It sounds like con is.

C

Having connectivity issues so go ahead.

J

All right, I'll keep an eye on the chat uh for live Corrections, um so yeah the EMS commit to remove all of Alice's uh clients here um happens, uh uh so Bob does that, just because Bob happens to be the the only other, client or user in the room.

J

If there was a third user or you know, any infinite number of combinations of other clients, um they could do this as well, um but since Bob's, the only one Bob is the one that gets to do it so Bob sends that to uh their server and then on.

J

The next slide that commit um makes its way to the hub, um as should hopefully be no surprise at this point um and then on the next slide, um Bob is or Bob's commit is sent to Alice, but Alice can't really fully process that commit, but they do learn that they were actually removed from the MLS group.

J

um So now they they have the state knowing that they are um no longer in the the room and that all their clients have been uh evicted as well, which is good news for them, um because that is the intention that they wanted. So, on the next slide, um we have a a bit of a constraint here uh where you know it is no longer hello world. They can no longer communicate with each other, at least in this this room.

J

But there is the the interesting point that um Alys server is still technically the Hub uh for this room, but they don't really have a a stake or anything in that room, so uh we may or may not need uh the server or the Hub server Ro to transfer of some variety to another server. um But this is um something that, like the design team, hasn't had a lot of opportunity to discuss. Yet um so it's it's kind of up in the air, we'll kind of we'll have to figure it out.

J

I think a little bit more and work through it, um but uh yeah. If we head to the very last slide uh I believe we now get to have conversations about the previous 40s, something slides.

J

I guess yeah! If Richard you want to introduce this, this particular section.

C

Yeah I was actually going to ask a question about the uh remove flow, um so um imagine that there were um both that the the room had three participants: Alice Bob and Charlie um in the in the one to one case where Bob is the only remaining participant.

C

It's clear that Bob needs to do the commit um and I suppose that in principle, if you just kind of announced that the that Alice had left and her devices needed to be removed, you could kind of let Bob and Charlie um decide on their own, whether they want it to commit um and just kind of throw it out there. um What gets committed gets committed it's up to the hub to to decide or in principle The Hub could designate.

C

Someone to you know some of among the first few clients to come online roughly simultaneously, which of them should be the committer um didn't know. If folks had opinions between those.

E

Options, um maybe I can jump in here. uh It works now by the way um I I, don't think like I, don't have a particular opinion in terms of the the flow there, but I do think.

E

The Hub should require that the next incoming commit should remove Alice, because otherwise, if Alice, you know, stays in the group as a with kind of weird clients where a new new user joins the group or new yeah user joins a group, adds a client and then sees oh there's, Alice Alice's clients, but Alice is not on the user list. So what does this mean like? Who is Alice um um yeah, so I think the Hub should require? Whoever does the next commit?

E

You know if maybe the Hub could kind of picks someone and who they then do the commit or something um I'm, not sure that that's maybe a technicality but L should be removed in the next commit.

E

K

Yeah I have a different question: um I mean the flow that you mentioned here. Kind of seems the opposite. What we intro introduced earlier, like where we talked about removing the alysis clients first and then removing her from the group I'm wondering if that was kind of a conscious decision, or uh there are technical limitations that we couldn't go down. That path.

E

J

Perspec, um it doesn't really matter uh whether Alice finds a way to sort of self- evict first uh from the MLS group or evicts from the signaling side. First, um it's just laid out as signaling first in the the diagrams here, mostly to have consistent uh ordering um between the two scenarios, but like I, like I, introduced in the original um flow there like th. This could happen simultaneously. It could happen in a different order.

J

Leaves are a bit of a special case in this sense, uh because they they can happen out of order from the um from the preemptive um model that Richard was discussing, whereas uh things like joins and KN. All that might have to happen in a a very more specific order.

K

Well, I mean the reason is like if we have the user leave, but their clients are still in then the room is in a consistent state right and so that that's you know, that's why we kind of discussed like you know. You can always have the user as a participant in the room, but you can't have uh without any clients, but not the other way.

E

Around yeah I mean Richard had a proposal for that um Richard. Do you want to talk about this collaborative approach versus the preemptive approach.

C

Yeah well going back to so what Basel said. I thought what we had discussed in the design team call was made sense where um the signaling message in advance of um Alice's clients being removed would not actually remove Alice from the participant list, but rather put them into some Nona. You know some exiting state where they would be marked and- and you know that might be part of the the trigger that says- that Alice's devices need to be removed. um So I think that order of operations does need to be.

C

um Does need to be clear in the documents.

E

And maybe just one more comment up. Sorry.

C

But I think it's important to maintain that um you know. If we're gonna have that that preemption in variant, we need to make sure that Alice remains in the participant list. Even if marked is exiting as long as Alice has devices that are.

E

Joined yeah I mean that that's partially, due to an unfortunate like uh restriction of MLS, where Ellis can cannot just do a commit that removes herself, because uh the the committer needs to introduce new Q material and alos needs to be removed from theou group cryptographically. So she shouldn't be the one who samples the new C material and injects us into the group, and so partially at least it comes from there as well, um but I I. Think Richard's proposal is a good one and that we should keep this invariant uh alive.

H

Eric yeah, yeah I think that's thanks for thanks for that com. I think that was exactly sort of thing. I wanted to hone in on is it's. The invariant um that was supped at the beginning is if you're in um that you can't be in the MLS group being a participant right, um but you can be participate, not being MLS group in the simple way that basically You' been you haven't yet got.

H

Is there any way in MLS to get back in that state once you had a client added, namely so I was a participant and I added a client and my like explodes um you know: um is there any and I no have a new phone yet? Is there any? Is there any way in this infrastructure to get back to the once? You' ever had a client added to become a clientless, an inactive member of the group. Or can you only go from inactive to active? You see what I mean.

E

um I mean you can go from um from active to inactive if you just propose uh I guess if you have a different semantic for the whole user leaves versus the user. Just uh has his last CL or their last client. Remove itself like propose a removal like this is the example that Matthew I think you you brought up with the browser tab. I want to close my browser, tab um uh and I.

E

Don't have any other client but I still kind of want to be in the group and I want to be able to rejoin the group. Without you know having to having to have someone reinvite me I still want to be authorized to be in the group, and so when I close the browser tab, it sends sends a leave proposal, and so the next person then kind of removes the browser, client and then I'm still I'm in the next. Is that what you meant.

H

Yeah I I think so yeah yeah, because I mean I just wor. Is there, like so I, think that like do we wanna, it seems weird not to not to preserve that invariant, but maybe it's okay, I, don't know like I mean I. Think I like this browser tab example, because it seems like good. It's like a good security practice to you.

H

You know not have this like information, you know, I, don't know what you call it I guess you call like, like some kind of PFS, effectively right um to be like I'm, no longer part of the group so like. Why am I still why you SOC that's key right, um um so I don't know.

B

H

I'm, just trying to think about like is there: is there a way to get back into that state? It doesn't involve kicking yourself out of other group, proper um I, don't feel strong about it, just trying to W my head around it. Thank.

E

You yeah I, think I think the answer to that maybe depends on if we want that as a as a feature like that's kind of a more of a producty question rather than a yeah like not a question of, can we do it, but but do we want to to enable.

E

It okay, if there no more questions and Richard.

E

Yeah I can't hear you I, think your your camera's on, but I don't see the mute coming off in the me EO.

C

Oh test test: there we go.

B

C

G, to kind of pivot, away from the um the examples to kind of broader discussion, um I'm hopeful that at least a few folks have reviewed the documents. um In addition to the framework we've discussed here, um if you've done both, um you can see there's a little bit of a disconnect, um so I think the question for the working group here is you know if we think about what stuff we would want to adopt to start getting working on a protocol? Are we headed toward the right foundations here?

C

um Are the to what degree of the documents uh the suitable Foundation state to be a foundation? To what degree are the concepts we' discussed here? If we were.

F

To take the concepts.

C

From this call and fold them into the documents would be would be be in a pretty good place to start adopting things um so yeah that that's the question for feedback and I'll I'll drop my camera and let discussion on.

F

F, um I guess I'm fting, um so yeah.

D

F

From my perspective, um this feels like a really good compromise um between the um very um sort of purist, MLS approach that Mims proposed in San Fran and the kind of U much more um pragmatic um approach that we were taking on linearized, Matrix I think we basically get Best of Both Worlds here and that we can benefit from the security properties of MLS, whilst making it sufficiently pluggable that um the e2e block can be removed, replaced by other transitional vendor specific um crypto structures which again might not have the same quality of security properties that can evolve in the right direction.

F

So um I basically really appreciate the work um that the design team has done to try to accommodate this slightly um controversial idea of a transitional approach, We've Ended up working with a lot of the big messaging providers. um Whilst this has been going on in parallel and the feedback we've had, there has been pretty positive in terms of something that would work both transitionally, whilst also making sure everybody can end up on mls.

F

In the end, um it does have the uh whole confirmation approach um of the red and the blue arrows effectively, but from my perspective, it's a complication. That is well worth it in terms of the pragmatic win um of how we get to the final end goal. So that's where I'm.

A

H

Yeah so I think um I. So first thanks to design team I think that, like this, this General.

D

H

I think you know seems like quite a good, quite a direction. I think the sort of like the the layout, the sort of the the archit.

C

H

C

H

But also the the way in which they're, together, sensible. um Frankly, the documents are um I would say hard hat.

F

Area, to be honest,.

H

um I spent the time trying to read them and really felt like really felt, was really really difficult, so um so well, I think um uh you know I think this is the right direction. I think you maybe it be appropriate to to option call for the Mimi architecture document um the other documents using a lot of work for R for adoption.

H

um You know, and the bar has to be like you persuade yourself, you could implement this, maybe with open issues as opposed to sort of being a collection of open issues which is really what these documents feel like in many ways. um So um I guess what I would encourage. um I guess I'd, be I'm, happy to find more detailed reviews, but um but I think I think we need at least one more of the documents before we do ad option for anything other than maybe Mimi, Arch um and and I.

H

Think against that be against that bar against the bar, like they should be self-contained, I, think and just to go saying earlier, I think like we should look at merging them pretty substantially. It's just really hard to read them when it's like this thing is like Point thing over here and this thing over here and like and like it's really hard to know. Is this just not defined anywhere or is it defined like in some other document, and no nowhere is Ty complete the answer, but um um but it's just just extremely.

A

Hard anybody else have thoughts on Richard's.

A

Questions go ahead, Richard.

C

And for for avoidance of doubt, I think that, like I I feel pretty kind good about the direction we've got into in the design team. I. Think eer is probably right that we need one more spin of the actual documents before we do an adoption call, but I think we can probably do that in in another couple weeks um get thing you kind of take. What we've discussed here, make the documents a little more concrete um and put something forward to the working group that would be in a more or less adoptable shape.

C

But of course, we always be uh happy to have some more opinions in the room.

A

Yeah, it would be really good to hear from people, especially who are not on the design team. They reactions to what has been.

A

Proposed yep Becker you're, the only one not on the design team, who was chimed in so far so um which is okay. Like I mean the design team is Big um in a way. So that's all right, but just want to make sure everybody has an opportunity.

A

um Okay, so let's maybe come around a little bit to the kind of the plan for these documents, because well, first of all, if they are going to be merged um I'd much rather do an adoption call on like the one or two or three that we think they're going to end up up consolidating down to instead of like six and.

F

A

Do it later, because that feels like messy um so I would I would like to understand whether, like people are committing to that and how that's going to work um from my own reading of them, I feel like that could be quite beneficial. I feel like there's a lot of inconsistency across them and they feel very much like they were authored by different people separately.

A

So um so that's one thing that I I just like to understand from the author team here like what are you going to do and and what's your sort of Target set Tim? Did you want to jump.

G

In yeah speaking as I guess, a working group member and not a chair on the topic of like document consolidation, uh I'm very much in favor of consolidating them like over in the distributed aggregation protocol which I'm working on in the PPM working group. We have a split there where, like one document, is in the PPM working group and then it relies upon another document called VAP. That's in cfrg so like that split makes some sense, because it's across different, like working groups or I, suppose working in research groups, but all of a say.

G

We found it to be like significant, just admin overhead um having these two drafts to Wrangle and there's been at least one case where we messed up the submission of a draft, because we forgot to bump a version number and whatever so. Multiple documents is really just a lot of tedious admin overhead, especially when it's not clear, but it provides a big benefit, so I um heavily favor having fewer.

G

A

Are you with us conran.

E

Yeah, okay, sorry um yeah, if I can maybe respond to that, at least for the and I wrote this in in the chat earlier, um at least for the Mimi DS um I, think it would make sense to have it as a separate document, um because I mean, as as we all know, and and I mean. That's. Why we hear is that MLS is not sufficient to to do messaging in any way, shape or form.

E

There are additional components required, and one of those is indeed a delivery service uh in some some form, and uh so, even though we're not chartered for this having a a a separate like a document that that separately kind of describes a DS and defines a DS would be useful for people outside of this working group who want to uh use MLS but who do not have the um cannot, you know, uh come up with their own DS design or then don't have to come up with their own DS design and having a some sort of reference.

E

Ds in a in a more um yeah in a more kind of in this modular way would make sense. In my.

A

Opinion: okay,.

J

Travis uh yeah, um so as the author of both the policy and signaling documents, um I I think those two spe specifically can be merged. Quite quite easily. um Transport might be a little bit more difficult just because both the DS and remaining portions of the stack need a transport, uh but it is possible that that could be um say Amalgamated into more of a Mimi protocol, stack um the DS kind of on the side.

J

um So I agree with that. That approach sort of idea where we can reduce the number of documents but I, don't think we can get it down to to one. um If that makes.

B

H

Hecker I guess I just don't understand the argument for con down to one seems to be like we want to use this on some other place and, like you know, like.

I

H

The subsections of the document, I guess like the like I'm, just like really I, guess like I', be more I' more open to this. Someone showed me a treatment that like actually was readable and was demounted in that way, but like right now, it's like incredibly hard to follow and and and the most important thing is to be readable for this purpos of working group so like.

H

If someone has a treatment that is like has Mays broken out and like otherwise is really readable, then like I'm, like th, open that but like I, want to see that rather than do that way,.

C

Yeah, just a reinforce act, point about like referencing subsections like we have a bunch of Prior with this in terms of people, reusing serialization formats from quick or TLS, um despite those things being part of the relevant documents, not broken out of separate documents, so yeah I think there's there's this can work in either.

A

B

A

So it sounds like on the design team. You have some agreement around some some of the consolidation of these these documents- maybe not all, um but uh maybe you can work that out in the design team and come back with whatever the proposal is going to be when you come back with it.

C

I I believe the clear feedback has been heard from the working group. That fewer documents is preferable and.

B

C

It more clearly fit together are preferable, yeah, so yeah I think the idea we'll take take the feedback we got today um and stuff that was in the slides, get that folded into the documents from a technical point of view, get things more Consolidated and working better together and hopefully in fewer documents and bring that.

A

Back, okay, I think. The other thing is um you know. Some of some of the documents have still have like external references to what some of the content should be um and I feel like for the purposes of adoption. That really needs to get filled in like even if you even there's, like you know, whatever placeholder, to do like you haven't decided on the design.

A

Yet whatever that's fine but like you have decided on design, but it's like referenced in a GitHub issue or something like let's, let's fix that, so that people can actually like read top to bottom and understand, what's being proposed. um That seems pretty important for adoption. Call as.

A

Well: okay, um now we're just going down my my list of pet peeves as I was reviewing the documents so I'll go to the next one, which is um you know. We had I think a good discussion today about the um the integration with MLS um and uh and like flexibility, for um people to go off and do their own thing. If you have an MLs shaped hole, um so I thought the discussion was good, I. Think again.

A

On this point, the way it's represented in the documents is at at present is not really consistent with the charter of this working group like um uh because we said that we assume use of MLS for key establishment, so I think we need to be kind of pretty strict about, like that's our assumption, and so that's what we build and that's what we put in the documents and like people can assume what they want and and do what they want outside of that scope.

A

um But I think we also need to kind of ditch the language about how we're doing it. Purposefully to um you know. Let people use other encryption protocols like it's. It's not going to be timeless and the rfc's once they get published, never change, so we should take out all the stuff which is kind of like in the current context. Here's what's happening um and just say say what we're specifying and then specify it. So that's my other piece of feedback on the Ed torial changes to be.

A

F

A

F

That's um reasonable, although it does tie into the previous point of consolidation that um I was to Echo the desire for the Mimi DS style end to encryption block to be a separate. Spec almost helps articulate that interface for the Unspeakable people, who might want to swap out that Lego brick for equivalent Lego, shap or.

B

Equivalent shaped.

F

Hole as it's easier, if that is actually a hole with an interface, it can be swapped in and out so B I totally agree that there should be more consolidation and I agree with eeka that the current set of documents are indigestible when swallowed as a whole. um I think there there is an argument for keeping that one more.

C

Modular and just by way of precedent, I note that RFC 9000 quick is separate from RFC 9000 one using CLS to secure quick, so like there is. There is some precedent here for creating the hole and then filling the.

B

H

Eer necessarily.

B

H

To that, but, like I, will tell you that I don't think that actually worked out that well in quick I think it's actually like makes it harder to read the quick documents when you read it that way and there's like a bunch of bunch of like back and forth about where things really belonged and the cut isn't as clean as You' like like um um and like there's all tons of things in qu that, basically assume properties are TLS.

H

So I guess like like, if, if like um I, think you know um and like to be fair like, like you know, TLS is like protocol like a really clear, like ex externalized boundary right um and part of what this Doc is doing was, like so I think you know again like if, if if this can be made readable, um you know we would like the DS broken out, I'm like cool, but if it's like, if it's gonna like and I, think the test here is like.

H

Are you constantly trying to remember what the properties of the DS are in order to read the rest of the document um and then, like that's bad, and if the the properties are like? No, like you have a vague sketch of what the DS does and then like read the document, then that's like cool but like, um um but if, like there's like a lot of back and forth in between them, it's just like like makes it really hard to read.

F

um um I guess it's possible that the DS boundary specifically isn't the right one, it's more the different! um Well, it's the MLS shaped hole which has some overal out with Ds, but also the confirmation Primitives, for instance, made available um to keeping the participant list in the room state in sync, with the underlying um encryption group.

F

um So I I agree with AKA that you shouldn't be sitting there, thinking what the hell is a DS and what is it doing right now, but it might not be that bad abstraction to be thinking um and now I what the equivalent would be for that slightly high level abstraction. It doesn't solve, of course, Conrad's concern about having MIM DS as a standalone thing that can be used as a pure MLS DS irrespec of.

E

Mimi yeah I think I think those are all fair points and all I can really say. Is that sure we'll we'll give it a try and if it doesn't work uh the M media section will then I guess just become a subsection which can easily be done? I guess so uh yeah we'll we'll give it a go and you'll you'll, you know be the judge of if it worked or.

A

Not sounds good, um then. My next question is about the architecture document. um If you want to keep that separate and that one's been around longer I know it got updated, um but if we're keeping it separate, we could sort of PLL for adoption today and confirm on the list. But if you're going to fold it in then we won't do that.

C

So I think I would probably keep it separate.

C

B

I hadn't thought about.

C

It since just started consolidation.

B

C

um I think yeah I would probably keep it separate in the same sense that, like MLS, did an architecture protocol distinction, um as in that case also there is, there will be some overlap in terms of overall. You know the overall logic of how the thing operates. They'll have some overview of that in the protocol document to warm people up, but also describe that in the architecture.

C

um I mean if I mean yeah I I, don't have strong feelings, but I would probably keep it separate. Okay, it needs to go, go ahead of the protocol Docs in terms.

H

I'm not sure I have strong feelings either, but I would probably merge it. um I think I think I mean I, think it Ser as a nice as a nice introduction to Consolidated document, um which I think, like largely in much respect. I think may have been better other context too. So again, I'm not gonna like fight strongly on it, but I. Think, like the question is like how much material we end up duplicating the question. Is you need to read the architecture document order?

H

Read the protoc make sense the protocol document and, if you don't how much mat replicating between one and the other, um so maybe something we just discover.

A

F

I'd say the acid test from my side is: if we have multiple documents, which seems fairly likely um for the overall sort of mini set of rfc's, as it were, then from my experience purely as a consumer over reading these um the benefit of having an architecture that gives you the high level tour and lets you figure out, which of the other RS you care about, and what you should be reading is absolutely invaluable and I think the MLS does a at least at the drafting stage.

F

The MLS architecture D draft helped a lot as I was navigating around MLS, um so kind of plus one to.

A

Richard Point ran.

I

Yeah ditto, uh basically like it. For me, a good architecture document is kind of the like all right. What like what are we doing, and then the other documents are the how um so I I I do like the idea that of an architect picture being separate for that.

A

Reason: okay, um I! Think: oh Rowan, are you back in the queue okay, um I think uh I mean given that that you're going to go back and and do a spin of the others um we can. We can revisit this uh next time when those when those are done and if we want to do separate documents and separate calls, then we can do it at that point. I, don't think we to do it.

A

Today, okay I think: oh um Richard did you have something yeah.

C

I was just going to Concur and say: let just handle.

A

All it together, okay, um I, think, that's! That's all the issues that I had in mind to raise on the design team. Does anybody have any further thoughts anything else to talk about on this.

A

Okay, um I was looking at the uh the doodle poll results and I think we have a couple of dates um in October that are looking kind of good, maybe October, 10th and 19th. So I'm, assuming 10th, is too soon to come back to this topic, but feel free to get in the queue and tell me that I'm wrong. um So if we schedule those two, then probably the 10th will come back to discovery, which we have lots more to talk about, and then um 19th come back to this.

A

But of course like send us the documents whenever they're ready, so people can review and we don't have to have a meeting in order to to move forward, but it could be a good demarcation point to get that moving again. That's kind of my thinking does that sound, okay, okay, Richard says it's good. All right, I, don't think I have anything else. Tim. Do you have anything.

G

Else, uh I do not except I, guess I note of thanks to the design team for all their.

A

Work, yes, thank you very much really appreciate all the time you've been putting in and thank you to Matthew for taking notes today, um check for email about those interms coming up and we'll look for the design team documents.

I

A

Thanks all right thanks, everyone.

I

E

E