Internet-Draft MIMI Room Policy October 2024
Mahy Expires 24 April 2025 [Page]
Workgroup:
More Instant Messaging Interoperability
Internet-Draft:
draft-mahy-mimi-room-policy-01
Published:
Intended Status:
Informational
Expires:
Author:
R. Mahy
Rohan Mahy Consulting Services

Room Policy for the More Instant Messaging Interoperability (MIMI) Protocol

Abstract

This document describes a set of concrete room policies for the More Instant Messaging Interoperability (MIMI) Working Group. It describes several independent properties and policy attributes which can be combined to model a wide range of chat and multimedia conference types.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://rohanmahy.github.io/mimi-room-policy/draft-mahy-mimi-room-policy.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-mahy-mimi-room-policy/.

Discussion of this document takes place on the More Instant Messaging Interoperability Working Group mailing list (mailto:[email protected]), which is archived at https://mailarchive.ietf.org/arch/browse/mimi/. Subscribe at https://www.ietf.org/mailman/listinfo/mimi/.

Source for this draft and an issue tracker can be found at https://github.com/rohanmahy/mimi-room-policy.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 24 April 2025.

Table of Contents

1. Introduction

The MIMI architecture [I-D.ietf-mimi-arch] describes how each room has an associated policy. Providers offer a "policy envelope" of supported and allowed policy settings, from which the creator of a room selects a specific room policy. The room policy might further allow individual participants to make specific choices (for example, allowing but not requiring read-message notifications), while constraining other choices (for example, prohibiting self-deleting messages). Individual users can examine the room policy to determine if it is consistent with policies they accept either before or immediately on joining a room. Section 4.4 of [I-D.ietf-mimi-arch]

Making rooms interoperable across existing clients is challenging, as rooms and clients can support different policies and capabilities across vendors and providers. Our goal is to balance the policy and authorization goals of the room with the policy and authorization goals of the end user, so we can support a broad range of vendors and providers.

Each room is owned by one provider at a time. The owning provider controls the range of acceptable policies. The user responsible for the room can further choose among the acceptable policies. Users (regardless if on other providers) can either accept the policies of the room or not. However we want to make it as easy as possible for clients from other providers to comply with the room policy primitives without enumerating specific features or requiring all clients implementations to present an identical user experience.

Configurable Role-based access control with permissions. An example scheme is described in the Appendix.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Role: A long-lived position reflecting the privilege level of a participant in a room. Possible values are owner, admin, regular-user, visitor, none, or outcast. A role closely maps to the MUC concept of affiliation, not the MUC concept of role.

Occupant: A user that has at least one client in the corresponding MLS group, and a role of owner, admin, regular-user, or visitor.

Room ID: An identifier which uniquely identifies a room.

User ID: An internal identifier which uniquely identifies a user.

Nickname: The identifier by which a user is referred inside a room. Depending on the context it may be a display name, handle, pseudonym, or temporary identifier. The nickname in one room need not correlate with the nickname for the same user in a different room.

Client ID: An internal identifier which uniquely identifies one client/device instance of one user account.

Persistent vs. Temporary rooms: A temporary room is destroyed when the last occupant exits whereas a persistent room is not destroyed when the last occupant exist. As MLS has no notion of a group with no members, a persistent room could consist of a sequence of distinct MLS groups, zero or one of which would exist at a time.

2.1. Moderation Terms

Knock: To request entry into a room.

Ban: To remove a user from a room such that the user is not allowed to re-enter the room (until and unless the ban has been removed). A banned user has a role of "outcast". Typically this action is only used in an open or semi-open room. It is distinct than merely removing a user from an administered group.

Kick: To temporarily remove a participant or visitor from a room. The user is allowed to re-enter the room at any time.

Voice (noun): The privilege to send messages in a room.

Revoke Voice: To remove the permission to send messages in a room.

Grant Voice: To grant the permission to send messages in a room.

Moderator: A client whose user has a role of admin or owner in the room. A moderator can ban users, and (when allowed in the room) can grant and revoke voice, kick individual clients, and grant access (ex: in response to a knock).

3. Room Capabilities

Membership-Style: The overall approach of membership authorization in a room, which could be open, members-only (administrated), fixed-membership, or parent-dependent.

Open room: An open room can be joined by any non-banned user.

Members-Only room: A members-only room can only be joined by a user in the occupant list, or who is pre-authorized. Authorized users can add or remove users to the room. In an enterprise context, it is also common (but not required) for users from a particular domain, group, or workgroup to be pre-authorized to add themselves to a Members-Only room.

Fixed-Membership room: Fixed-membership rooms have the list of occupants specified when they are created. Other users cannot be added. Occupants cannot leave or be removed, however a user can remove all its clients from the associated MLS group. The most common case of a fixed-membership room is a 1:1 conversation. This room membership style is used to implement Direct Message (DM) and Group DM features. Only a single fixed-membership room can exist for any unique set of occupants.

Parent-dependent room: In a parent-dependent room, the list occupants of the room must be a strict subset of the occupants of the parent room. If a user leaves or is removed from the parent room, that user is automatically removed from any parent-dependent rooms of that parent.

Multi-device vs. Single-device: A multi-device room can have multiple simultaneous clients of the same user as participants in the room. A single-device room can have a maximum of one client per user in the room at any moment.

Knock-Enabled vs. Knock-Disabled: In a knock-enabled room, non-banned users are allowed to programmatically request entry into the room. In a knock-disabled room this functionality is disabled.

Moderated vs. Unmoderated: An an unmoderated room, any occupant can send messages to the room. In a moderated room, only occupants who have "voice" can send messages to the room.

4. Room policy format syntax

4.2. Pre-authorized users

enum {
  reserved(0),
  system(1),
  owner(2),
  admin(3),
  regular_user(4),
  visitor(5),
  banned(6),
  (255)
} Role;

struct {
  Role target_role;
  /* preauth_domain consists of ASCII letters, digits, and hyphens */
  opaque preauth_domain<V>;
  /* the remaining fields are in the form of a URI */
  opaque preauth_workgroup<V>;
  opaque preauth_group<V>;
  opaque preauth_user<V>;
} PreAuthPerRoleList;

struct {
  ...
  PreAuthPerRoleList pre_auth_list<V>;
  ...
} RoomPolicy;

In members-only rooms, it is convenient to pre-authorize specific users--or users from specific domains, workgroups/teams, and groups--to specific roles. The workgroup, group, and user are expressed as a Uri. The domain is expressed in US-ASCII letters, digits, and hyphens only. If the domain is internationalized, the Internationalized Domain Names [RFC5890] conversion MUST be done before filling in this value.

Note that the system role is used to authorize external proposals for operations for other users. For example, the system role can be used to authorize a provider to remove clients from groups when the corresponding user account is deleted.

4.3. Delivery and Read notifications, Pseudonyms

enum {
  optional(0),
  required(1),
  forbidden(2)
} Optionality;

struct {
  ...
  Optionality delivery_notifications;
  Optionality read_receipts;
  bool pseudonymous_ids;
  ...
} RoomPolicy;

The delivery_notifications value can be set to "forbidden", "optional", or "required". If the value is set to "optional", the client uses its local configuration to determine if it should send delivery notifications in the group.

The read_receipts value can be set to "forbidden", "optional", or "required". If the value is set to "optional", the client uses its local configuration to determine if it should send read receipts in the group.

The format for delivery notifications and read receipts is described in Section 5.12 of [I-D.ietf-mimi-content].

If pseudonymous_ids is true, clients in the MLS group are free to use pseudonymous identifiers in their MLS credentials. Otherwise the policy of the room is that "real" long-term identifiers are required in MLS credentials in the room's corresponding MLS group.

4.5. Extensibility of the policy format

Finally, The extensibility mechanism allows for future addition of new room policies.

enum {
  null(0),
  boolean(1),
  number(2),
  string(3),
  jsonObject(4)
} ExtType;

struct {
  opaque name<V>;
  ExtType type;
  opaque value<V>;
} PolicyExtension;

struct {
  ...
  PolicyExtension policy_extensions<V>;
} RoomPolicy;

foo

5. Role-Based Access Control

With Role-Based Access Control, the room policy defines a list of roles and the capabilities associated with each role.

enum {
  reserved(0),
  canAddParticipant(1),
  ...
  (65535)
} Capability;

struct {
  int role_index;
  opaque role_name<V>;
  opaque role_description<V>;
  Capability role_capabilities<V>;
  int minimum_participants_constraint;
  optional int maximum_participants_constraint;
  int minimum_active_participants_constraint;
  optional int maximum_active_participants_constraint;
} Role

struct {
  Role target_role;
  /* preauth_domain consists of ASCII letters, digits, and hyphens */
  opaque preauth_domain<V>;
  /* the remaining fields are in the form of a URI */
  opaque preauth_workgroup<V>;
  opaque preauth_group<V>;
  opaque preauth_user<V>;
} PreAuthPerRoleList;

struct {
  Role roles<V>;
  ...
  PreAuthPerRoleList pre_auth_list<V>;
  ...
} RoomPolicy;

5.1. Capability Categories

5.1.1. Membership Capabilities

  • canAddParticipant

  • canRemoveParticipant

  • canAddOwnClient

  • canRemoveSelf

  • canAddSelf

  • canCreateJoinLink

  • canUseJoinLink

These actions are subject to role constraints described below.

5.1.2. Moderation Capabilities

  • canBan

  • canUnBan

  • canKick

  • canRevokeVoice

  • canGrantVoice

  • canKnock

  • canAcceptKnock

  • canChangeUserRole

  • canCreateSubgroup

These actions are subject to role constraints described below.

5.1.3. Breakouts

  • canSendDirectMessage

  • canTargetMessage

5.1.4. Message Capabilities

  • canSendMessage

  • canReceiveMessage

  • canReportAbuse

  • canReactToMessage

  • canEditReaction

  • canDeleteReaction

  • canEditOwnMessage

  • canDeleteOwnMessage

  • canDeleteAnyMessage

  • canStartTopic

  • canReplyInTopic

  • canSendDirectMessage

  • canTargetMessage

The Hub can enforce whether a member can send a message and not fanout application messages. Other capabilities can only be enforced by other clients.

5.1.5. Asset Capabilities

  • canUploadImage

  • canUploadVideo

  • canUploadAttachment

  • canDownloadImage

  • canDownloadVideo

  • canDownloadAttachment

  • canSendLink

  • canSendLinkPreview

  • canFollowLink

5.1.6. Adjust metadata

  • canChangeRoomName

  • canChangeRoomSubject

  • canChangeRoomAvatar

  • canChangeOwnName

  • canChangeOwnPresence

  • canChangeOwnMood

  • canChangeOwnAvatar

5.1.7. Real-time media

  • canStartCall

  • canJoinCall

  • canSendAudio

  • canReceiveAudio

  • canSendVideo

  • canReceiveVideo

  • canShareScreen

  • canViewSharedScreen

5.1.8. Disruptive Policy Changes

  • canChangeRoomMembershipStyle

  • canChangeOtherPolicyAttribute

  • canDestroyRoom

  • MLS specific

    • update

    • reinit

    • PSK

    • external proposal

    • external commit

5.2. Role constraints

Minimum and maximum number of each role.

6. Operational policy

Section 7 of the [I-D.ietf-mls-architecture] defines a set of operational policy considerations that influence interoperability of MLS clients. MIMI explicitly address a handful of the issues in the document by taking a position on ordering (Proposals referenced in a Commit need to be received before the Commit; the Commit entering a new epoch needs to be received before any other messages in that epoch), privacy of handshake messages (handshakes can be a PublicMessage or SemiPrivateMessage), and GroupInfo storage (committers need to provide a valid GroupInfo to the Hub). The rest of these issues are described here. Just because a topic is listed does not mean that a room needs to take a position; nor different rooms on a Hub need to have different policies for these items.

6.2. Not relevant to MIMI (between client and its provider)

  • how many KPs to keep active

  • how group IDs are constructed

  • which ciphersuites are acceptable.

6.3. Areas for future works

Which credential types are allowed/required

How to protect and share the GroupInfo objects needed for external joins.

If an application wishes to detect and possibly discipline members that send malformed commits with the intention of corrupting a group's state, there must be a method for reporting and validating malformed commits. MLS requires the following parameters to be defined, which must be the same for two implementations to interoperate:

Which media types are required to send and required to understand in MIMI.

What Additional authenticated data, can/should be sent unencrypted in an otherwise encrypted message.

Application-level identifiers of public key material (specifically the application_id extension as defined in Section 5.3.3 of [RFC9420]).

7. Some types of rooms with RBAC

7.1. Strict administrator policy

Role levels (low to high capabilities):

  • banned

  • guest

  • ordinary_user

  • group_admin

  • super_admin

Capabilities per role

  • banned

    • (no capabilities)

  • guest - canSendMessage - canReceiveMessage - canRemoveSelf

  • ordinary_user

    • (everything guest can do, plus:)

      • canAddOwnClient

      • canChangeOwnName,Presence,Mood,Avatar

      • canReport

      • canSendLinks

    • canSendImages

    • canSendVideos

  • group_admin - (everything ordinary_user can do, plus:) - canSendAttachments - canAddParticipant - canRemoveParticipant - canBanish - promote - canUnBanish - canKick - canChangeRoomName,Subject,Avatar - canPromoteRole(from=[ordinary]; to=[admin]) - canDemoteRole([from=[admin], to=[ordinary]) - canDestroyRoom - canCreateJoinLink

  • super_admin

    • (everything group_admin can do, plus:)

    • canPromoteRole(from=[ordinary,admin], to=[superadmin])

    • canDemoteRole(from=[superadmin], to=[ordinary,admin])

    • canChangeRoomMembershipStyle

Role constraints: must have at least 1 "admin"

7.2. Cooperative room (everyone can add and remove)

Role levels (low to high capabilities):

  • banned

  • ordinary_user

  • group_admin

  • super_admin

Capabilities per role

  • banned

    • (no capabilities)

  • ordinary_user - canSendMessage - canReceiveMessage - canRemoveSelf - canAddOwnClient - canChangeOwnName,Presence,Mood,Avatar - canReport - canAddParticipant - canRemoveParticipant - canKick - canChangeRoomName,Subject,Avatar - canCreateJoinLink - canSendLinks

    • canSendImages

    • canSendVideos

    • canSendAttachments

  • group_admin - (everything ordinary_user can do, plus:) - canBanish - canUnBanish - canPromoteRole(from=[ordinary], to=[admin]) - canDemoteRole([from=[admin], to=[ordinary]) - canDestroyRoom

  • super_admin

    • (everything group_admin can do, plus:)

    • canPromoteRole(from=[ordinary,admin], to=[superadmin])

    • canDemoteRole(from=[superadmin], to=[ordinary,admin])

    • canChangeRoomMembershipStyle

Role constraints: must have at least 1 "group_admin"

7.3. Moderated room

Role levels (low to high capabilities):

  • banned

  • non-participant

  • guest

  • attendee

  • speaker

  • moderator

  • super_admin

Capabilities per role

  • banned

    • (no capabilities)

  • non-participant - canKnock - canJoinViaLink

  • guest - canReceiveMessage - canRemoveSelf

  • attendee

    • (everything guest can do, plus:)

      • canAddOwnClient

      • canChangeOwnName,Presence,Mood,Avatar

      • canReport

  • speaker

    • (everything attendee can do, plus:)

      • canSendMessage

      • canChangeRoomName,Subject,Avatar

      • canSendLinks

    • canSendImages

    • canSendVideos

    • canSendAttachments

  • moderator - (everything ordinary_user can do, plus:) - canAddParticipant - canRemoveParticipant - canAcceptKnock - canBan - canUnBan - canKick - canPromoteRole(from=[attendee]; to=[speaker]) - canDemoteRole([from=[speaker], to=[attendee]) - canCreateJoinLink

  • super_admin

    • (everything moderator can do, plus:)

      • canDestroyRoom

    • canPromoteRole(from=[attendee,speaker], to=[moderator])

    • canDemoteRole(from=[moderator], to=[attendee,speaker])

    • canChangeRoomMembershipStyle

Role constraints: must have at least 1 "moderator"

8. Security Considerations

TODO Security

9. IANA Considerations

This document has no IANA actions.

10. References

10.1. Normative References

[I-D.ietf-mimi-arch]
Barnes, R., "An Architecture for More Instant Messaging Interoperability (MIMI)", Work in Progress, Internet-Draft, draft-ietf-mimi-arch-00, , <https://datatracker.ietf.org/doc/html/draft-ietf-mimi-arch-00>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC5890]
Klensin, J., "Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework", RFC 5890, DOI 10.17487/RFC5890, , <https://www.rfc-editor.org/rfc/rfc5890>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.

10.2. Informative References

[I-D.ietf-mimi-content]
Mahy, R., "More Instant Messaging Interoperability (MIMI) message content", Work in Progress, Internet-Draft, draft-ietf-mimi-content-04, , <https://datatracker.ietf.org/doc/html/draft-ietf-mimi-content-04>.
[I-D.ietf-mls-architecture]
Beurdouche, B., Rescorla, E., Omara, E., Inguva, S., and A. Duric, "The Messaging Layer Security (MLS) Architecture", Work in Progress, Internet-Draft, draft-ietf-mls-architecture-15, , <https://datatracker.ietf.org/doc/html/draft-ietf-mls-architecture-15>.

Appendix A. Complete TLS Presentation Language Syntax

enum {
  false(0),
  true(1)
} bool;

struct {
  /* a valid Uniform Resource Identifier (URI) */
  opaque uri<V>;
} Uri;

enum {
  optional(0),
  required(1),
  forbidden(2)
} Optionality;

enum {
  reserved(0),
  system(1),
  owner(2),
  admin(3),
  regular_user(4),
  visitor(5),
  banned(6),
  (255)
} Role;

struct {
  Role target_role;
  /* preauth_domain consists of ASCII letters, digits, and hyphens */
  opaque preauth_domain<V>;
  /* the remaining fields are in the form of a URI */
  opaque preauth_workgroup<V>;
  opaque preauth_group<V>;
  opaque preauth_user<V>;
} PreAuthPerRoleList;

enum {
  reserved(0)
  open(1),
  members-only(2),
  fixed-membership(3),
  parent-dependent(4),
  (255)
} MembershipStyle;

struct {
  Optionality logging;
  bool enabled;
  Uri logging_clients<V>;
  Uri machine_readable_policy;
  Uri human_readable_policy;
} LoggingPolicy;

struct {
  bool on_request;
  Uri join_link;
  bool multiuser;
  uint32 expiration;
  Uri link_requests;
} LinkPolicy;

struct {
  opaque name<V>;
  opaque description<V>;
  Uri homepage;
  Role bot_role;
  bool can_read;
  bool can_write;
  bool can_target_message_in_group;
  bool per_user_content;
} Bot;

struct {
  Optionality history_sharing;
  Role who_can_share<V>;
  bool automatically_share;
  uint32 max_time_period;
} HistoryPolicy;

enum {
  null(0),
  boolean(1),
  number(2),
  string(3),
  jsonObject(4)
} ExtType;

struct {
  opaque name<V>;
  ExtType type;
  opaque value<V>;
} PolicyExtension;

struct {
  MembershipStyle membership_style;
  bool multi_device;
  bool knock_allowed;
  bool moderated;
  bool password_protected;
  PreAuthPerRoleList pre_auth_list<V>;
  Uri parent_room_uri;
  bool persistent_room;
  Optionality delivery_notifications;
  Optionality read_receipts;
  bool semi_anonymous_ids;
  bool discoverable;
  LinkPolicy link_policy;
  LoggingPolicy logging_policy;
  HistoryPolicy history_sharing;
  Bot allowed_bots<V>;
  PolicyExtension policy_extensions<V>;
} RoomPolicy;

RoomPolicy room_policy;

Appendix B. Example Roles and Permissions scheme

Acknowledgments

TODO acknowledge.

Author's Address

Rohan Mahy
Rohan Mahy Consulting Services