draft-ralston-mimi-policy-00.txt | draft-ralston-mimi-policy-01.txt | |||
---|---|---|---|---|
More Instant Messaging Interoperability T. Ralston | More Instant Messaging Interoperability T. Ralston | |||
Internet-Draft M. Hodgson | Internet-Draft M. Hodgson | |||
Intended status: Standards Track The Matrix.org Foundation C.I.C. | Intended status: Standards Track The Matrix.org Foundation C.I.C. | |||
Expires: 26 March 2024 23 September 2023 | Expires: 23 September 2024 22 March 2024 | |||
MIMI Policy Envelope | More Instant Messaging Interoperability (MIMI) Policy | |||
draft-ralston-mimi-policy-00 | draft-ralston-mimi-policy-01 | |||
Abstract | Abstract | |||
The MIMI Policy Envelope describes a _policy control protocol_ and | This document specifies an authorization policy framework for the | |||
_participation control protocol_ for use in a room, applied at the | More Instant Messaging Interoperability (MIMI) working group's | |||
user participation level, as described by [I-D.barnes-mimi-arch]. | transport protocol. It makes use of a Role-Based Access Control | |||
(RBAC) mechanism to grant/deny permissions to users, clients, and | ||||
servers. | ||||
About This Document | About This Document | |||
This note is to be removed before publishing as an RFC. | This note is to be removed before publishing as an RFC. | |||
The latest revision of this draft can be found at | The latest revision of this draft can be found at | |||
https://turt2live.github.io/ietf-mimi-policy/draft-ralston-mimi- | https://turt2live.github.io/ietf-mimi-policy/draft-ralston-mimi- | |||
policy.html. Status information for this document may be found at | policy.html. Status information for this document may be found at | |||
https://datatracker.ietf.org/doc/draft-ralston-mimi-policy/. | https://datatracker.ietf.org/doc/draft-ralston-mimi-policy/. | |||
skipping to change at page 1, line 48 ¶ | skipping to change at page 2, line 4 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on 23 September 2024. | ||||
This Internet-Draft will expire on 26 March 2024. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2023 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
extracted from this document must include Revised BSD License text as | extracted from this document must include Revised BSD License text as | |||
described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
provided without warranty as described in the Revised BSD License. | provided without warranty as described in the Revised BSD License. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | |||
2.1. Permissions Definitions . . . . . . . . . . . . . . . . . 4 | 2.1. Permissions Definitions . . . . . . . . . . . . . . . . . 4 | |||
2.2. Participation Definitions . . . . . . . . . . . . . . . . 4 | 2.2. Participation Definitions . . . . . . . . . . . . . . . . 4 | |||
3. Event Authorization . . . . . . . . . . . . . . . . . . . . . 5 | 3. Types of Senders . . . . . . . . . . . . . . . . . . . . . . 4 | |||
3.1. Auth Events Selection . . . . . . . . . . . . . . . . . . 5 | 4. Permissions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
4. Types of Senders . . . . . . . . . . . . . . . . . . . . . . 6 | 4.1. Calculating Permissions . . . . . . . . . . . . . . . . . 5 | |||
5. Permissions . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 4.2. Effective Power Level . . . . . . . . . . . . . . . . . . 6 | |||
5.1. Calculating Permissions . . . . . . . . . . . . . . . . . 7 | 4.3. List of Permissions . . . . . . . . . . . . . . . . . . . 7 | |||
5.2. Effective Power Level . . . . . . . . . . . . . . . . . . 8 | 4.4. Role Changes . . . . . . . . . . . . . . . . . . . . . . 8 | |||
5.3. List of Permissions . . . . . . . . . . . . . . . . . . . 8 | 5. User Participation . . . . . . . . . . . . . . . . . . . . . 8 | |||
5.4. Event Sending Permissions . . . . . . . . . . . . . . . . 10 | 5.1. General Conditions . . . . . . . . . . . . . . . . . . . 9 | |||
5.5. Role Changes . . . . . . . . . . . . . . . . . . . . . . 10 | 5.2. Invite Conditions . . . . . . . . . . . . . . . . . . . . 9 | |||
6. User Participation . . . . . . . . . . . . . . . . . . . . . 10 | 5.3. Join Conditions . . . . . . . . . . . . . . . . . . . . . 9 | |||
6.1. General Conditions . . . . . . . . . . . . . . . . . . . 11 | 5.4. Knock Conditions . . . . . . . . . . . . . . . . . . . . 9 | |||
6.2. Invite Conditions . . . . . . . . . . . . . . . . . . . . 11 | 5.5. Ban Conditions . . . . . . . . . . . . . . . . . . . . . 10 | |||
6.3. Join Conditions . . . . . . . . . . . . . . . . . . . . . 11 | 5.6. Leave Conditions . . . . . . . . . . . . . . . . . . . . 10 | |||
6.4. Knock Conditions . . . . . . . . . . . . . . . . . . . . 11 | 5.6.1. Voluntary . . . . . . . . . . . . . . . . . . . . . . 10 | |||
6.5. Ban Conditions . . . . . . . . . . . . . . . . . . . . . 12 | 5.6.2. Kicks . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
6.6. Leave Conditions . . . . . . . . . . . . . . . . . . . . 12 | 5.7. Join Rules . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
6.6.1. Voluntary . . . . . . . . . . . . . . . . . . . . . . 12 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
6.6.2. Kicks . . . . . . . . . . . . . . . . . . . . . . . . 12 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
6.7. m.room.join_rules . . . . . . . . . . . . . . . . . . . . 13 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
7. Event/History Visibility . . . . . . . . . . . . . . . . . . 13 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 | |||
7.1. m.room.history_visibility . . . . . . . . . . . . . . . . 14 | 8.2. Informative References . . . . . . . . . . . . . . . . . 12 | |||
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | ||||
9.1. Normative References . . . . . . . . . . . . . . . . . . 14 | ||||
9.2. Informative References . . . . . . . . . . . . . . . . . 15 | ||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | ||||
1. Introduction | 1. Introduction | |||
The primary objective for the More Instant Messaging Interoperability | This document relies on the concepts described by | |||
(MIMI) working group is to specify the needed protocols to achieve | [I-D.barnes-mimi-arch] and [I-D.ralston-mimi-protocol]. | |||
interoperability among modern messaging providers. The protocols | ||||
which make up the "MIMI stack" are described by | ||||
[I-D.barnes-mimi-arch]. | ||||
In the stack are a policy control protocol and a participation | ||||
control protocol. These two control protocols are described by this | ||||
document, supported by *TODO(TR): Link to I-D.ralston-mimi- | ||||
signaling*. | ||||
Policy control is handled through permissions, while participation is | ||||
managed primarily through the rules governing m.room.user. Together, | ||||
these control protocols create this policy document. | ||||
When an action is impossible for a server to enforce, such as when a | Policy within MIMI defines who or what is allowed to take a certain | |||
client operated by a user sends an encrypted instant message, the | action, and what the allowable actions are. Some examples include | |||
receiving clients are responsible for enforcing the remainder of the | whether a given user is able to send messages or promote/demote other | |||
policy. This may mean, for example, decrypting a message but not | users within the room. This document outlines the minimum | |||
rendering it due to a policy violation. | permissions required for interoperability, and how the Role-Based | |||
Access Control (RBAC) mechanism works. | ||||
The concepts of permissions and participation state for a user are | Some actions are enforceable by the hub server or local follower | |||
deliberately separated in this policy document. A user's | server in a room, however other actions can only be handled by end | |||
participation state might affect which permissions they can use, but | clients. Whether a server can enforce the policy largely depends on | |||
a user's permissions do not change their participation in a room. | the server's visibility of the message being checked: MLS Private | |||
Messages cannot be inspected, and therefore cannot have policy | ||||
applied to them by the server. Such messages will need to be checked | ||||
by the clients instead. | ||||
2. Conventions and Definitions | 2. Conventions and Definitions | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
Terms from [I-D.barnes-mimi-arch] and [I-D.ralston-mimi-terminology] | Terms from [I-D.barnes-mimi-arch], [I-D.ralston-mimi-terminology], | |||
are used throughout this document. [I-D.barnes-mimi-arch] takes | and [I-D.ralston-mimi-protocol] are used throughout this document. | |||
precedence where there's conflict. | [I-D.barnes-mimi-arch] takes precedence where there's conflict. | |||
Terms from *TODO(TR): Link to I-D.ralston-mimi-signaling* are used | ||||
throughout this document. | ||||
Other terms include: | Other terms include: | |||
_Rejected_: The action being performed ceases to continue through the | _Rejected_: The action being performed ceases to continue through the | |||
remainder of the send/rendering steps. For a hub server, this means | remainder of the send/rendering steps. For a hub server, this means | |||
the event being sent is not added to the room and is not sent to any | the event being sent is not added to the room and is not sent to any | |||
other server. For a client, this equates to not rendering or | other server. For a client, this equates to not rendering or | |||
respecting the action. | respecting the action. | |||
_Allowed_: The opposite of Rejected. The action is expressly | _Allowed_: The opposite of Rejected. The action is expressly | |||
skipping to change at page 5, line 8 ¶ | skipping to change at page 4, line 47 ¶ | |||
_Banned_: The target is kicked and cannot be invited, joined, or | _Banned_: The target is kicked and cannot be invited, joined, or | |||
knock on the room until unbanned. | knock on the room until unbanned. | |||
_Knocking_: The sender is requesting an invite into the room. They | _Knocking_: The sender is requesting an invite into the room. They | |||
can either be welcomed in (invited) or declined (kicked). | can either be welcomed in (invited) or declined (kicked). | |||
_Kicked_: Involuntary leave. The target and sender are not the same | _Kicked_: Involuntary leave. The target and sender are not the same | |||
user. | user. | |||
3. Event Authorization | 3. Types of Senders | |||
When a hub server receives an event, and before it adds it to the | ||||
room, it MUST ensure the event passes the policy for the room. In | ||||
the case of this document, the server MUST ensure the following | ||||
checks are performed: | ||||
1. The event is correctly signed and hashed. | ||||
2. The event's authEvents include the appropriate event types | ||||
(Section 3.1). | ||||
3. The sender has permission (Section 5.1) to send the event. | ||||
4. Any event type-specific checks are performed, as described | ||||
throughout this document. | ||||
3.1. Auth Events Selection | ||||
When a server is populating authEvents, it MUST include the event IDs | ||||
for the following event types. These SHOULD be the most recent event | ||||
IDs for the event types. | ||||
Note: m.room.create MUST always have an empty authEvents array. | ||||
* The m.room.create event. | ||||
* The m.room.user event for the sender, if applicable. | ||||
* The m.room.role_map event (Section 5), if set. | ||||
* The m.room.role events (Section 5) assigned to the user sender, if | ||||
any. | ||||
* If the event type is m.room.user: | ||||
- The target user's m.room.user event, if any. | ||||
- If the participation state is join or invite, the | ||||
m.room.join_rules event (Section 6.7), if any. | ||||
*TODO(TR): Restricted joins join_authorised_via_users_server? (GH | ||||
issue (https://github.com/turt2live/ietf-mimi-policy/issues/1))* | ||||
If an event is missing from authEvents but should have been included | ||||
with the above selection algorithm, the event is rejected. | ||||
If events not intended to be selected using the above algorithm above | ||||
are included in authEvents, the event is rejected. This extends to | ||||
events which aren't known or are malformed in authEvents. | ||||
If an event uses non-current events in its authEvents, it is | ||||
rejected. | ||||
4. Types of Senders | *TODO*: Figure out non-user permission structures. | |||
https://github.com/turt2live/ietf-mimi-policy/issues/2 | ||||
*TODO(TR): Do we want to send as not-users? (GH issue | 4. Permissions | |||
(https://github.com/turt2live/ietf-mimi-policy/issues/2))* | ||||
Currently this document only supports sender being a user ID. | Groups of permissions are known as roles. These roles are then | |||
assigned to a user or server as needed. Permissions cannot be | ||||
assigned without being part of a role. | ||||
5. Permissions | Roles do not currently carry aesthetic characteristics, such as a | |||
name, badge color, or avatar. | ||||
Rooms are capable of defining their own roles for grouping | Roles, and their assignees, are persisted through the AppSync MLS | |||
permissions to apply to users. These roles do not currently have | extension. Changes are proposed with MLS Proposals, and confirmed | |||
aesthetic characteristics, such as a display name, badge color, or | with MLS Commits. This uses the mimiRoomPolicy applicationId defined | |||
avatar. | by [I-D.ralston-mimi-protocol]. | |||
Roles are described by an m.room.role state event. The state key for | *TODO*: Define actual example/schema once AppSync is more reviewed | |||
the event is the "role ID", and is not intended to be human readable. | by the MLS working group. Initial indications are unclear if a | |||
diff or "irreducible" blob is preferred. | ||||
The content for the event has the following structure in TLS | A role _notionally_ looks like the following: | |||
presentation language format (Section 3 of [RFC8446]): | ||||
enum { | enum { | |||
// Iterated later in the document. | /* Iterated later in the document. */ | |||
} Permission; | } Permission; | |||
struct { | struct { | |||
select (Permission) { | select (Permission) { | |||
// cases defined later in the document. | /* cases defined later in the document. */ | |||
} permission; | } permission; | |||
} PermissionValue; | } PermissionValue; | |||
struct { | struct { | |||
PermissionValue permissions[]; | PermissionValue permissions<V>; | |||
} MRoomRoleEventContent; | IdentifierUri assignees<V>; | |||
int order; | ||||
Users are assigned to roles using an m.room.role_map state event, | } Role; | |||
with empty string for a state key. The content being as follows: | ||||
struct { | ||||
// The role's ID. | ||||
opaque roleId; | ||||
// The user IDs who are assigned this role. | ||||
opaque userIds[]; | ||||
// The power level for the role. This is used in cases of tiebreak and to | ||||
// override permissions from another role. | ||||
uint32 order; | ||||
} RoleConfig; | ||||
struct { | ||||
RoleConfig roles[]; | ||||
} MRoomRoleMapEventContent; | ||||
Each role ID MUST only appear once in MRoomRoleMapEventContent.roles. | IdentifierUri is as defined by Section 5.2 of | |||
Each RoleConfig.order MUST be distinct from all other entries. If | [I-D.ralston-mimi-protocol]. | |||
either of these checks fail when a server receives the event, the | ||||
event is rejected. | ||||
5.1. Calculating Permissions | 4.1. Calculating Permissions | |||
A user's permissions is the sum of the permissions described by their | An entity's permissions is the sum of the permissions described by | |||
assigned roles. When two roles define the same permission (but with | their assigned roles. When two roles define the same permission (but | |||
different values), the higher order role takes precedence. | with different values), the higher order role takes precedence. | |||
For example, if given the following role structure... | For example, if given the following role structure... | |||
* Role A, order 1. | * Role A, order 1. | |||
- Permission A = true | - Permission A = true | |||
- Permission B = false | - Permission B = false | |||
* Role B, order 2. | * Role B, order 2. | |||
skipping to change at page 8, line 14 ¶ | skipping to change at page 6, line 30 ¶ | |||
... and a user assigned all three roles, the user's resolved set of | ... and a user assigned all three roles, the user's resolved set of | |||
permissions would be: | permissions would be: | |||
* Permission A = false (takes Role B's value) | * Permission A = false (takes Role B's value) | |||
* Permission B = true (takes Role C's value) | * Permission B = true (takes Role C's value) | |||
* Permission C = false (defined by Role B, no conflict with Role C) | * Permission C = false (defined by Role B, no conflict with Role C) | |||
These permissions are then used to define whether a user can "send" | These permissions are then used to define whether a user can perform | |||
the event. | the action. | |||
5.2. Effective Power Level | 4.2. Effective Power Level | |||
In some cases it is required to know the "power level" for a user to | In some cases it is required to know the "power level" for a user to | |||
solve tiebreaks. The power level of a user is the highest order role | solve tiebreaks. The power level of a user is the highest order role | |||
they are assigned with the desired permission set, regardless of | they are assigned with the desired permission set, regardless of | |||
value for that permission. | value for that permission. | |||
Using the example from Section 5.1, a user with all three roles would | Using the example from Section 4.1, a user with all three roles would | |||
have the following effective power levels for each permission in | have the following effective power levels for each permission in | |||
question: | question: | |||
* Permission A = 2 | * Permission A = 2 | |||
* Permission B = 3 | * Permission B = 3 | |||
* Permission C = 3 | * Permission C = 3 | |||
5.3. List of Permissions | 4.3. List of Permissions | |||
The full definitions for Permission and PermissionValue in Section 5 | The full definitions for Permission and PermissionValue in Section 4 | |||
is: | is: | |||
enum { | enum { | |||
// Whether other users can be invited to the room by the role. | // Whether other users can be added to the room by the role. | |||
// Default: false. | // Default: false. | |||
invite(1), | add(1), | |||
// Whether other users can be kicked from the room by the role. | // Whether other users can be kicked from the room by the role. | |||
// Default: false. | // Default: false. | |||
kick(2), | kick(2), | |||
// Whether other users can be banned from the room by the role. | // Whether other users can be banned from the room by the role. | |||
// Default: false. | // Default: false. | |||
ban(3), | ban(3), | |||
// Whether another user's events can be redacted by the role. | // Whether another user's events can be redacted by the role. | |||
skipping to change at page 9, line 4 ¶ | skipping to change at page 7, line 24 ¶ | |||
// Whether other users can be kicked from the room by the role. | // Whether other users can be kicked from the room by the role. | |||
// Default: false. | // Default: false. | |||
kick(2), | kick(2), | |||
// Whether other users can be banned from the room by the role. | // Whether other users can be banned from the room by the role. | |||
// Default: false. | // Default: false. | |||
ban(3), | ban(3), | |||
// Whether another user's events can be redacted by the role. | // Whether another user's events can be redacted by the role. | |||
// Senders can always redact their own events regardless of this permission. | // Senders can always redact their own events regardless of this permission. | |||
// Default: false. | // Default: false. | |||
redact(4), // TODO(TR): Do we need this one? | redact(4), // TODO(TR): Do we need this one? | |||
// The event types the role is able to send. | ||||
// Default: None. | ||||
events(5), | ||||
// The actions this role can take against roles. For example, adding or | // The actions this role can take against roles. For example, adding or | |||
// removing permissions. | // removing permissions. | |||
// Default: None. | // Default: None. | |||
roles(6), | roles(5), | |||
// Whether the assigned entities can send messages to the room. | ||||
// Default: true. | ||||
sendMessages(6), // TODO(TR): This likely needs breaking out. | ||||
} Permission; | } Permission; | |||
struct { | struct { | |||
select (Permission) { | select (Permission) { | |||
case invite: BooleanPermission; | case invite: BooleanPermission; | |||
case kick: BooleanPermission; | case kick: BooleanPermission; | |||
case ban: BooleanPermission; | case ban: BooleanPermission; | |||
case redact: BooleanPermission; | case redact: BooleanPermission; | |||
case events: EventTypePermission; | ||||
case roles: RolePermission; | case roles: RolePermission; | |||
case sendMessages: BooleanPermission; | ||||
} permission; | } permission; | |||
} PermissionValue; | } PermissionValue; | |||
struct { | struct { | |||
// When false, the permission is explicitly not granted. | // When false, the permission is explicitly not granted. | |||
byte granted; | byte granted; | |||
} BooleanPermission; | } BooleanPermission; | |||
struct { | ||||
// The event type being gated by a permission. | ||||
opaque eventType; | ||||
// When false, the permission to send the event is explicitly not granted. | ||||
byte granted; | ||||
} EventTypePermissionRecord; | ||||
struct { | ||||
// The event type restrictions. If there are duplicates, the lastmost entry | ||||
// takes priority. | ||||
EventTypePermissionRecord eventTypes[]; | ||||
} EventTypePermission; | ||||
struct { | struct { | |||
// The role IDs that can be affected by this role. This includes adding, | // The role IDs that can be affected by this role. This includes adding, | |||
// removing, and changing permissions. | // removing, and changing permissions. | |||
// TODO(TR): We might want something more comprehensive. | // TODO(TR): We might want something more comprehensive. | |||
opaque affectRoleId[]; | opaque affectRoleId[]; | |||
} RolePermission; | } RolePermission; | |||
5.4. Event Sending Permissions | *TODO*: Determine which permissions are needed to fulfill | |||
[I-D.ietf-mimi-content]. | ||||
The sender for an event MUST have permission (Section 5.1) to send | 4.4. Role Changes | |||
that event type, unless the event type is m.room.user. User | ||||
participation events are handled specifically in Section 6. | ||||
The sender MUST also be in the joined state to send such events. | *TODO*: I believe we need words to describe how to use the role | |||
permissions described above. Probably something using effective | ||||
power levels and talking about what "add", "remove", and "change" | ||||
actually mean. | ||||
5.5. Role Changes | *TODO*: We also need to specify that the creator has superuser | |||
permissions until a role is defined/assigned. | ||||
*TODO(TR): I believe we need words to describe how to use the role | 5. User Participation | |||
permissions described above. Probably something using effective | ||||
power levels and talking about what "add", "remove", and "change" | ||||
actually mean.* | ||||
*TODO(TR): We also need to specify that the creator has superuser | *TODO*: Needs updating considering participation state changes are | |||
permissions until a role is defined/assigned.* | proposed through AppSync now. The concepts around the rules of | |||
state changes still apply. | ||||
6. User Participation | *TODO*: "Invite" likely needs swapping for "Add". | |||
User participation is tracked as m.room.user state events. The | User participation is tracked as m.room.user state events. The | |||
content for such an event has the following structure in TLS | content for such an event has the following structure in TLS | |||
presentation language format (Section 3 of [RFC8446]): | presentation language format (Section 3 of [RFC8446]): | |||
enum { | enum { | |||
invite, // "Invited" state. | invite, // "Invited" state. | |||
join, // "Joined" state. | join, // "Joined" state. | |||
leave, // "Left" state (including Kicked). | leave, // "Left" state (including Kicked). | |||
ban, // "Banned" state. | ban, // "Banned" state. | |||
skipping to change at page 11, line 5 ¶ | skipping to change at page 9, line 10 ¶ | |||
A user is considered to be "joined" to a room if they have a | A user is considered to be "joined" to a room if they have a | |||
participation state of join. All servers with users in the joined | participation state of join. All servers with users in the joined | |||
state are considered to be "in" the room. | state are considered to be "in" the room. | |||
Servers which are in the room can send events for their users | Servers which are in the room can send events for their users | |||
directly. The signaling protocol is able to assist servers (and | directly. The signaling protocol is able to assist servers (and | |||
therefore users) in sending the appropriate participation events | therefore users) in sending the appropriate participation events | |||
until they are able complete the join process. | until they are able complete the join process. | |||
6.1. General Conditions | 5.1. General Conditions | |||
*TODO(TR): This is where we'd put server ACLs. (GH issue | *TODO*: This is where we'd put server ACLs - | |||
(https://github.com/turt2live/ietf-mimi-policy/issues/3))* | https://github.com/turt2live/ietf-mimi-policy/issues/3 | |||
6.2. Invite Conditions | 5.2. Invite Conditions | |||
The target user for an invite MUST: | The target user for an invite MUST: | |||
* NOT already be in the banned state. | * NOT already be in the banned state. | |||
* NOT already be in the joined state. | * NOT already be in the joined state. | |||
The sender for an invite MUST: | The sender for an invite MUST: | |||
* Already be in the joined state. | * Already be in the joined state. | |||
* Have permission (Section 5.1) to invite users. | * Have permission (Section 4.1) to invite users. | |||
Otherwise, reject. | Otherwise, reject. | |||
6.3. Join Conditions | 5.3. Join Conditions | |||
The target and sender of a join MUST be the same. | The target and sender of a join MUST be the same. | |||
Whether a user can join without invite is dependent on the join rules | Whether a user can join without invite is dependent on the join rules | |||
(Section 6.7). | (Section 5.7). | |||
If the join rule is invite or knock, the user MUST already be in the | If the join rule is invite or knock, the user MUST already be in the | |||
joined or invite state. | joined or invite state. | |||
If the join rule is public, the user MUST NOT already be in the | If the join rule is public, the user MUST NOT already be in the | |||
banned state. | banned state. | |||
Otherwise, reject. | Otherwise, reject. | |||
6.4. Knock Conditions | 5.4. Knock Conditions | |||
The target and sender of a knock MUST be the same. | The target and sender of a knock MUST be the same. | |||
If the current join rule (Section 6.7) for the room is knock, the | If the current join rule (Section 5.7) for the room is knock, the | |||
user MUST NOT already be in the banned or joined state. | user MUST NOT already be in the banned or joined state. | |||
Otherwise, reject. | Otherwise, reject. | |||
6.5. Ban Conditions | 5.5. Ban Conditions | |||
The sender for a ban MUST: | The sender for a ban MUST: | |||
* Already be in the joined state. | * Already be in the joined state. | |||
* Have permission (Section 5.1) to ban users. | * Have permission (Section 4.1) to ban users. | |||
Otherwise, reject. | Otherwise, reject. | |||
Note that a ban implies kick. | Note that a ban implies kick. | |||
6.6. Leave Conditions | 5.6. Leave Conditions | |||
Leaves in a room come in two varieties: voluntary and kicks. | Leaves in a room come in two varieties: voluntary and kicks. | |||
Voluntary leaves are when the user no longer wishes to be an active | Voluntary leaves are when the user no longer wishes to be an active | |||
participant in the room. A kick is done to remove a user forcefully. | participant in the room. A kick is done to remove a user forcefully. | |||
When the target and sender of a leave is the same, it is a voluntary | When the target and sender of a leave is the same, it is a voluntary | |||
leave. | leave. | |||
6.6.1. Voluntary | 5.6.1. Voluntary | |||
The user MUST be in the invited, joined, or knocking state. | The user MUST be in the invited, joined, or knocking state. | |||
Otherwise, reject. | Otherwise, reject. | |||
6.6.2. Kicks | 5.6.2. Kicks | |||
The target user for a kick MUST: | The target user for a kick MUST: | |||
* Already be in the joined state. | * Already be in the joined state. | |||
The sender for a kick MUST: | The sender for a kick MUST: | |||
* Already be in the joined state. | * Already be in the joined state. | |||
* Have permission (Section 5.1) to kick users. | * Have permission (Section 4.1) to kick users. | |||
* Have a higher (and NOT equal to) effective power level with | * Have a higher (and NOT equal to) effective power level with | |||
respect to the kick permission (Section 5.2) than the target user. | respect to the kick permission (Section 4.2) than the target user. | |||
If the target user is in the banned state, the sender requires | If the target user is in the banned state, the sender requires | |||
permission to ban users instead (as to ban means to unban as well). | permission to ban users instead (as to ban means to unban as well). | |||
This additionally extends to the effective power level check. | This additionally extends to the effective power level check. | |||
Otherwise, reject. | Otherwise, reject. | |||
6.7. m.room.join_rules | 5.7. Join Rules | |||
*State key*: Empty string. | ||||
*Content*: | *TODO*: Convert to an AppSync-style policy flag. It will need an | |||
associated permission. | ||||
enum { | enum { | |||
invite, | invite, | |||
knock, | knock, | |||
public, | public, | |||
} JoinRule; | } JoinRule; | |||
struct { | struct { | |||
// The current join rule for the room. Defaults to `invite` if no join rules | // The current join rule for the room. Defaults to `invite` if no join rules | |||
// event is in the room. | // event is in the room. | |||
JoinRule rule; | JoinRule rule; | |||
} MRoomJoinRulesEventContent; | } PolicyJoinRule; | |||
*Redaction considerations*: rule under content is protected from | ||||
redaction. | ||||
7. Event/History Visibility | ||||
Unless otherwise specified by the event type, non-state events MUST | ||||
NOT be sent to a user's client if the history visibility rules | ||||
prohibit it. State events are always visible to clients. | ||||
When a server is fetching events it is missing to build history, the | ||||
returned events are redacted unless the server has at least one user | ||||
which is able to see the event under the history visibility rules. | ||||
The server must then further filter the events before sending them to | ||||
clients. | ||||
History visibility rules are defined by m.room.history_visibility | ||||
(Section 7.1), and can only affect future events. Events sent before | ||||
the history visibility rule change are not retroactively affected. | ||||
Taking into consideration the m.room.history_visibility event that is | ||||
current at the time an event was sent, a user's visibility of a that | ||||
event is described as: | ||||
* If the visibility rule was world, show. | ||||
* If the user was in the joined state, show. | ||||
* If the visibility rule was shared and the user was in the joined | ||||
state at any point after the event was sent, show. | ||||
* If the user was in the invited state, and the visibility rule was | ||||
invited, show. | ||||
* Otherwise, don't show. | ||||
7.1. m.room.history_visibility | ||||
*State key*: Empty string. | ||||
*Content*: | ||||
enum { | ||||
invited, | ||||
joined, | ||||
shared, | ||||
world, | ||||
} Visibility; | ||||
struct { | ||||
// The current join rule for the room. Defaults to `shared` if no history | ||||
// visibility event is present in the room. | ||||
Visibility visibility; | ||||
} MRoomHistoryVisibilityEventContent; | ||||
*Redaction considerations*: visibility under content is protected | ||||
from redaction. | ||||
8. IANA Considerations | ||||
This document as a whole makes up the m.0 policy ID, as per | ||||
*TODO(TR): Link to I-D.ralston-mimi-signaling*. | ||||
This document's descriptions for the following event types are | ||||
registered to the event types registry in *TODO(TR): Link to I- | ||||
D.ralston-mimi-signaling*: | ||||
* m.room.role (Section 5) | 6. Security Considerations | |||
* m.room.role_map (Section 5) | *TODO*: Verbosely describe the security considerations throughout | |||
the doc. | ||||
* m.room.join_rules (Section 6.7) | 7. IANA Considerations | |||
* m.room.history_visibility (Section 7.1) | None. | |||
9. References | 8. References | |||
9.1. Normative References | 8.1. Normative References | |||
[I-D.barnes-mimi-arch] | [I-D.barnes-mimi-arch] | |||
Barnes, R., "An Architecture for More Instant Messaging | Barnes, R., "An Architecture for More Instant Messaging | |||
Interoperability (MIMI)", Work in Progress, Internet- | Interoperability (MIMI)", Work in Progress, Internet- | |||
Draft, draft-barnes-mimi-arch-01, 22 September 2023, | Draft, draft-barnes-mimi-arch-03, 4 March 2024, | |||
<https://datatracker.ietf.org/doc/html/draft-barnes-mimi- | <https://datatracker.ietf.org/doc/html/draft-barnes-mimi- | |||
arch-01>. | arch-03>. | |||
[I-D.ralston-mimi-protocol] | ||||
Barnes, R., Hodgson, M., Kohbrok, K., Mahy, R., Ralston, | ||||
T., and R. Robert, "More Instant Messaging | ||||
Interoperability (MIMI) using HTTPS and MLS", Work in | ||||
Progress, Internet-Draft, draft-ralston-mimi-protocol-02, | ||||
4 March 2024, <https://datatracker.ietf.org/doc/html/ | ||||
draft-ralston-mimi-protocol-02>. | ||||
[I-D.ralston-mimi-terminology] | [I-D.ralston-mimi-terminology] | |||
Ralston, T., "MIMI Terminology", Work in Progress, | Ralston, T., "MIMI Terminology", Work in Progress, | |||
Internet-Draft, draft-ralston-mimi-terminology-02, 10 July | Internet-Draft, draft-ralston-mimi-terminology-03, 23 | |||
2023, <https://datatracker.ietf.org/doc/html/draft- | October 2023, <https://datatracker.ietf.org/doc/html/ | |||
ralston-mimi-terminology-02>. | draft-ralston-mimi-terminology-03>. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/rfc/rfc2119>. | <https://www.rfc-editor.org/rfc/rfc2119>. | |||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | |||
9.2. Informative References | 8.2. Informative References | |||
[I-D.ietf-mimi-content] | ||||
Mahy, R., "More Instant Messaging Interoperability (MIMI) | ||||
message content", Work in Progress, Internet-Draft, draft- | ||||
ietf-mimi-content-02, 4 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-mimi- | ||||
content-02>. | ||||
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
<https://www.rfc-editor.org/rfc/rfc8446>. | <https://www.rfc-editor.org/rfc/rfc8446>. | |||
Authors' Addresses | Authors' Addresses | |||
Travis Ralston | Travis Ralston | |||
The Matrix.org Foundation C.I.C. | The Matrix.org Foundation C.I.C. | |||
Email: travisr@matrix.org | Email: travisr@matrix.org | |||
End of changes. 73 change blocks. | ||||
303 lines changed or deleted | 155 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |