-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC3202: Encrypted appservices #3202
Open
turt2live
wants to merge
13
commits into
old_master
Choose a base branch
from
travis/msc/otk-dl-appservice
base: old_master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 3 commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
d56527b
Encrypted appservices
turt2live efabfe4
Guess number
turt2live 3f394a8
number
turt2live f551ae5
Mention opt-in registration flag
turt2live 4f6e256
Add device_id assertion
turt2live 9001a67
Mention device_id prefixing
turt2live 472226b
Document optimizations
turt2live 937e4c5
Include fallback key support
turt2live 9893a5f
Document appservice transaction retries and handling
turt2live 208decb
Update unstable prefixing
turt2live e586c39
Merge branch 'old_master' into travis/msc/otk-dl-appservice
turt2live f875ffe
Fix naming of `device_one_time_key_counts` to match CS API
turt2live 47d2080
Actually, *this* matches the CS API
turt2live File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
# MSC3202: Encrypted Appservices | ||
|
||
Presently, appservices in Matrix are capable of attaching themselves to a homeserver for high-traffic | ||
bot-like usecases, such as bridging and operationally expensive bots. Traditionally, these appservices | ||
only work in unencrypted rooms due to not having enough context on the encryption state to actually | ||
function properly. | ||
|
||
This MSC targets the missing bits to support encryption at the appservice level: other MSCs, such as | ||
[MSC2409](https://github.com/matrix-org/matrix-doc/pull/2409) and [MSC2778](https://github.com/matrix-org/matrix-doc/pull/2778) | ||
give appservices foundational pieces to get device IDs and to-device messages, as required by encryption. | ||
|
||
## Proposal | ||
|
||
This proposal takes inspiration from [MSC2409](https://github.com/matrix-org/matrix-doc/pull/2409) by | ||
defining a new set of keys on the appservice `/transactions` endpoint, similar to sync: | ||
|
||
```json5 | ||
{ | ||
"events": [ | ||
// as defined today | ||
], | ||
"ephemeral": [ | ||
// MSC2409 | ||
], | ||
"device_lists": { | ||
"changed": ["@alice:example.org"], | ||
"left": ["@bob:example.com"] | ||
}, | ||
"device_one_time_keys_count": { | ||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
"@_irc_bob:example.org": { | ||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
"curve25519": 10, | ||
"signed_curve25519": 20 | ||
} | ||
} | ||
} | ||
``` | ||
|
||
These fields are heavily inspired by [the extensions to /sync](https://matrix.org/docs/spec/client_server/r0.6.1#id84) | ||
in the client-server API. | ||
|
||
Both new fields can be omitted if there are no changes for the appservice to handle. For | ||
`device_one_time_keys_count`, the format is slightly different from the client-server API to better | ||
map the appservice's user namespace users to the counts. Users in the namespace without keys or | ||
which have unchanged keys since the last transaction can be omitted. | ||
|
||
Like MSC2409, any user the appservice would be considered "interested" in (user in the appservice's | ||
namespace, or sharing a room with an appservice user/namespaced room) would qualify for the device | ||
list changes section. | ||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
## Potential issues | ||
|
||
Servers would have to track and send this information to appservices, however this is still perceived | ||
to be more performant than appservices using potentionally thousands of `/sync` streams. | ||
|
||
Appservices additionally cannot opt-in (or out) of this functionality unlike with MSC2409. It is | ||
expected that servers will optimize for not including/calculating the fields if the appservice has | ||
no interest in the information. Specifically, appservices which don't have any keys under their user | ||
namespace can be assumed to not need device list changes and thus can be optimized out. | ||
|
||
## Alternatives | ||
|
||
An endpoint for appservices to poll could work, though this is extra work for the appservice and would | ||
likely need pagination and such, which is all heavyweight for the server. Instead, having the server | ||
batch up updates and send them to the appservice is likely faster. | ||
|
||
## Security considerations | ||
|
||
None relevant - this is the same information the appservice would get if it spawned `/sync` streams for | ||
all the users in its namespace. | ||
|
||
## Unstable prefix | ||
|
||
While this MSC is not considered stable for implementation, implementations should use `org.matrix.msc3202.` | ||
as a prefix to the fields on the `/transactions` endpoint. For example: | ||
* `device_lists` becomes `org.matrix.msc3202.device_lists` | ||
* `device_one_time_keys_count` becomes `org.matrix.msc3202.device_one_time_keys_count` | ||
|
||
Appservices which support encryption but never see these fields (ie: server is not implementing this in an | ||
unstable capacity) should be fine, though encryption might not function properly for them. It is the | ||
responsibility of the appservice to try and recover safely and sanely, if desired, when the server is not | ||
implementing this in an unstable capacity. This is not a concern once the MSC becomes stable in a released | ||
version of the specification, as servers will be required to implement it. |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.