[{"author": "Watson Ladd", "text": "<p>we hear you</p>", "time": "2023-10-10T14:00:56Z"}, {"author": "Watson Ladd", "text": "<p>(now let me figure out where they go)</p>", "time": "2023-10-10T14:01:59Z"}, {"author": "Andrew Morgan", "text": "<p><a href=\"https://notes.ietf.org/notes-ietf-interim-2023-mimi-10-mimi\">https://notes.ietf.org/notes-ietf-interim-2023-mimi-10-mimi</a></p>", "time": "2023-10-10T14:02:21Z"}, {"author": "Andrew Morgan", "text": "<p>yay, thank you Rohan!</p>", "time": "2023-10-10T14:05:43Z"}, {"author": "Jonathan Rosenberg", "text": "<p>requirements and open questions look good to me</p>", "time": "2023-10-10T14:10:47Z"}, {"author": "Jonathan Rosenberg", "text": "<p>Giles your audio is quite faint</p>", "time": "2023-10-10T14:11:48Z"}, {"author": "Konrad Kohbrok", "text": "<p>Wait, why ware we conflating SII to SSI mapping with key distribution?</p>", "time": "2023-10-10T14:15:44Z"}, {"author": "Konrad Kohbrok", "text": "<p>Did I miss something?</p>", "time": "2023-10-10T14:15:59Z"}, {"author": "Alissa Cooper", "text": "<p>@Konrad, join the queue? There was some confusion about this on the list as well, would be good to clarify.</p>", "time": "2023-10-10T14:16:25Z"}, {"author": "Rohan Mahy", "text": "<p>@Konrad, just raise your hand and ask as a clarifying question</p>", "time": "2023-10-10T14:16:39Z"}, {"author": "Konrad Kohbrok", "text": "<p>Unfortunately, I'm in a space where I can't talk right now.</p>", "time": "2023-10-10T14:17:24Z"}, {"author": "Watson Ladd", "text": "<p>I can't jabberscribe and take notes sadly</p>", "time": "2023-10-10T14:18:16Z"}, {"author": "Konrad Kohbrok", "text": "<p>Thanks Alissa!</p>", "time": "2023-10-10T14:20:48Z"}, {"author": "Benjamin Beurdouche", "text": "<p>OHTTP++ between Client and P1...</p>", "time": "2023-10-10T14:33:16Z"}, {"author": "Benjamin Beurdouche", "text": "<p>P2 sorry</p>", "time": "2023-10-10T14:33:58Z"}, {"author": "Andrew Morgan", "text": "<p>Tim's mic is clipping badly for me</p>", "time": "2023-10-10T14:39:05Z"}, {"author": "Raphael Robert", "text": "<p>same here</p>", "time": "2023-10-10T14:39:25Z"}, {"author": "Watson Ladd", "text": "<p>you will when user changes the preference and forgets to remove from the other</p>", "time": "2023-10-10T14:40:09Z"}, {"author": "Eric Rescorla", "text": "<p>Well, you could timestamp the assertions</p>", "time": "2023-10-10T14:40:24Z"}, {"author": "Watson Ladd", "text": "<p>I think people still cheat at candy crush saga</p>", "time": "2023-10-10T14:41:20Z"}, {"author": "Tim Geoghegan", "text": "<p>Sorry about my mic, I have such bad luck with Meetecho on laptops</p>", "time": "2023-10-10T14:41:48Z"}, {"author": "Eric Rescorla", "text": "<p>I was going to make the point Konrad just made</p>", "time": "2023-10-10T14:42:03Z"}, {"author": "Rohan Mahy", "text": "<p>what ekr just said!</p>", "time": "2023-10-10T14:47:55Z"}, {"author": "Rohan Mahy", "text": "<p>\"is the attacker willing to represent an identity they don't own?\"one provider's assertion is not superior to another's</p>", "time": "2023-10-10T14:49:19Z"}, {"author": "Alissa Cooper", "text": "<p>I feel like this is conflating the question of whom you trust to assert UserA's SII-&gt;SSI mappings and whom you trust to assert which SSI out of that set is UserA's preferred SSI</p>", "time": "2023-10-10T14:49:42Z"}, {"author": "Rohan Mahy", "text": "<p>i don't think it was clear which of these problems the WG was trying to solve.</p>", "time": "2023-10-10T14:50:20Z"}, {"author": "Alissa Cooper", "text": "<p>we absolutely must solve the first one, otherwise we don't have a discovery solution that works</p>", "time": "2023-10-10T14:50:48Z"}, {"author": "Rohan Mahy", "text": "<p>My position has always been that the first one is completely optional, and the second one is harmful</p>", "time": "2023-10-10T14:52:24Z"}, {"author": "Eric Rescorla", "text": "<p>I do actually have a solution to thios</p>", "time": "2023-10-10T14:54:08Z"}, {"author": "Eric Rescorla", "text": "<p>this piece</p>", "time": "2023-10-10T14:54:13Z"}, {"author": "Femi Olumofin", "text": "<p>It is not quite easy to impersonate a user on a different service using the user's SII like phone number. It is more of a problem for diverse ids - SSI.</p>", "time": "2023-10-10T14:54:16Z"}, {"author": "Watson Ladd", "text": "<p>aren't SSIs inherently immune to service B wanting them?</p>", "time": "2023-10-10T14:55:37Z"}, {"author": "Eric Rescorla", "text": "<p>I would suggest for the purposes of this discussion we assume PIR is magic</p>", "time": "2023-10-10T14:56:33Z"}, {"author": "Eric Rescorla", "text": "<p>Rather than talking about lattics :)</p>", "time": "2023-10-10T14:56:47Z"}, {"author": "Eric Rescorla", "text": "<p>With that said, people might find this useful <a href=\"https://educatedguesswork.org/posts/pir/\">https://educatedguesswork.org/posts/pir/</a></p>", "time": "2023-10-10T14:57:04Z"}, {"author": "Eric Rescorla", "text": "<p>(which is to say PIR explained entirely with high school math)</p>", "time": "2023-10-10T14:57:14Z"}, {"author": "Rohan Mahy", "text": "<p>@Ekr, to be clear, I think we can technically solve the second problem.</p>", "time": "2023-10-10T14:58:40Z"}, {"author": "Rohan Mahy", "text": "<p>1) My concerns are that people often use different services for different contexts. I want to use different services to talk with my colleagues (Wire), to talk to my family (Messages), and to talk to member of my acrobatics troup (WhatsApp).</p>", "time": "2023-10-10T14:58:41Z"}, {"author": "Rohan Mahy", "text": "<p>2) I fear this will become like the \"Make this my default browser\" wars</p>", "time": "2023-10-10T14:59:12Z"}, {"author": "Rohan Mahy", "text": "<p>but worse</p>", "time": "2023-10-10T14:59:20Z"}, {"author": "Rohan Mahy", "text": "<p>I want to use an explicit service. I don't want a default one.</p>", "time": "2023-10-10T15:00:19Z"}, {"author": "Tim Geoghegan", "text": "<p>In this design, the client has no visibility into the SII-&gt;SSI mappings. It gets told by its service frontend what other service to use. So regardless of a preferred service setting, the frontend can just pick a provider based on its own preferences.</p>", "time": "2023-10-10T15:01:49Z"}, {"author": "Jonathan Rosenberg", "text": "<p>@rohan does this cover your requirements: <a href=\"https://datatracker.ietf.org/doc/html/draft-rosenberg-mimi-discovery-reqs-00#name-provider-cardinalities\">https://datatracker.ietf.org/doc/html/draft-rosenberg-mimi-discovery-reqs-00#name-provider-cardinalities</a></p>", "time": "2023-10-10T15:01:55Z"}, {"author": "Eric Rescorla", "text": "<blockquote>\n<p>I want to use an explicit service. I don't want a default one. and nothing stops you from doing it, but that's not what everyone wants</p>\n</blockquote>", "time": "2023-10-10T15:03:43Z"}, {"author": "Eric Rescorla", "text": "<p>Oops. @Rohan, I know you want an explicit selection, but not everyone wants that</p>", "time": "2023-10-10T15:04:15Z"}, {"author": "Eric Rescorla", "text": "<p>@Femi: do you have these numbers in core seconds rather than absolute times?</p>", "time": "2023-10-10T15:07:30Z"}, {"author": "Tim Geoghegan", "text": "<p>+1 to needing a threat model. Also need to be clear on which actor is trusted to select among multiple providers.</p>", "time": "2023-10-10T15:15:18Z"}, {"author": "Raphael Robert", "text": "<p>would be good to have a written threat model</p>", "time": "2023-10-10T15:16:11Z"}, {"author": "Eric Rescorla", "text": "<p>It's worth noting that in this design, you have to do N queries where N is the number of potential services the person you are talking to might have</p>", "time": "2023-10-10T15:16:42Z"}, {"author": "Eric Rescorla", "text": "<p>Which may be fine, but is gonna be pretty expensive if that's a PIR query</p>", "time": "2023-10-10T15:17:12Z"}, {"author": "Eric Rescorla", "text": "<p>Another question I would add is whether the shard boundaries are going to change</p>", "time": "2023-10-10T15:17:28Z"}, {"author": "Eric Rescorla", "text": "<p>Re: PIR algorithm selection, I think we'd need to send that to CFRG</p>", "time": "2023-10-10T15:17:47Z"}, {"author": "Eric Rescorla", "text": "<p>No way should this WG standardize a PIR scheme</p>", "time": "2023-10-10T15:17:59Z"}, {"author": "Raphael Robert", "text": "<p>yes</p>", "time": "2023-10-10T15:18:51Z"}, {"author": "Eric Rescorla", "text": "<p>With that said, I absolutely love PIR :)</p>", "time": "2023-10-10T15:19:29Z"}, {"author": "Femi Olumofin", "text": "<p>@Eric its core seconds.</p>", "time": "2023-10-10T15:20:35Z"}, {"author": "Giles Hogben", "text": "<p>The data is already public</p>", "time": "2023-10-10T15:24:06Z"}, {"author": "Giles Hogben", "text": "<p>+1 I think we need multiple discovery providers but not because of GDPR</p>", "time": "2023-10-10T15:31:48Z"}, {"author": "Richard Barnes", "text": "<p>+1 Coop -- the unanswered question is whether there are <em>not</em> application providers</p>", "time": "2023-10-10T15:32:08Z"}, {"author": "Eric Rescorla", "text": "<p>I feel like this is solved with separating <em>authentication/identity</em> from discovery</p>", "time": "2023-10-10T15:34:30Z"}, {"author": "Richard Barnes", "text": "<p>@EKR precisely</p>", "time": "2023-10-10T15:35:24Z"}, {"author": "Eric Rescorla", "text": "<p>So, I would imagine that in this instance, the big providers are their own CAs</p>", "time": "2023-10-10T15:35:56Z"}, {"author": "Eric Rescorla", "text": "<p>the small providers have to use a trusted CA</p>", "time": "2023-10-10T15:36:04Z"}, {"author": "Eric Rescorla", "text": "<p>and you can't store records unless you have a valid cert</p>", "time": "2023-10-10T15:36:15Z"}, {"author": "Richard Barnes", "text": "<p>i'm pretty sure i wrote up exactly this scheme to the list after the last interim</p>", "time": "2023-10-10T15:36:21Z"}, {"author": "Eric Rescorla", "text": "<p>you did</p>", "time": "2023-10-10T15:36:27Z"}, {"author": "Eric Rescorla", "text": "<p>I'm just amplifying</p>", "time": "2023-10-10T15:36:33Z"}, {"author": "Richard Barnes", "text": "<p>\"allow me to restate...\"</p>", "time": "2023-10-10T15:36:36Z"}, {"author": "Richard Barnes", "text": "<p>@ekr i know, it just seems like JDR didn't get that memo</p>", "time": "2023-10-10T15:37:29Z"}, {"author": "Eric Rescorla", "text": "<p>PIR solves this problem</p>", "time": "2023-10-10T15:37:41Z"}, {"author": "Giles Hogben", "text": "<p>+100 to Richard</p>", "time": "2023-10-10T15:42:17Z"}, {"author": "Femi Olumofin", "text": "<p>+1 a discovery provider that is not a service provider shouldn't have the ability to add/update records.</p>", "time": "2023-10-10T15:42:52Z"}, {"author": "Giles Hogben", "text": "<p>I don't think the validation process maps to provider</p>", "time": "2023-10-10T15:54:59Z"}, {"author": "Giles Hogben", "text": "<p>It maps a meatbag to an identifier</p>", "time": "2023-10-10T15:55:10Z"}, {"author": "Benjamin Beurdouche", "text": "<p>Thanks ! Bye : )</p>", "time": "2023-10-10T16:02:27Z"}, {"author": "Tim Geoghegan", "text": "<p>Thanks all! Thanks Watson for taking notes.</p>", "time": "2023-10-10T16:02:32Z"}]