Changes

Np1sec/incremental consistency

1,522 bytes added, 9 years ago
Dmitri moved page [[MpOTR/incremental consistency]] to [[Np1sec/incremental consistency]]: protocol renamed
** we assume a server-dictated ordering, so accepting a message at seqnum i means we have already accepted all messages j ≤ i.
Once ''m'' is fully-acked, ''u'' knows that everyone else has seen ''m'' and all messages before it. We'll call the process of gaining that knowledge, "reaching consistencyfor ''m''"(given context, ''m'' might be implicit). We don't have another mechanism for it, so henceforth we'll use "reach consistency" interchangeably with "reach full-ack", though strictly the former is a security property and the latter is a mechanism for achieving it. An '''explicit-ack''' is a message with no user content, that is sent solely for the purpose of declaring (via recv-parent) what the sender has seen. We'll make use of these to ensure consistency is reached in a timely manner, even if no-one wants to send a normal message (that contains user-level contents, and which is an '''implicit-ack''').
== Consistency ==
When We consider two cases: (a) reaching consistency for arbitrary messages during the course of a conversation, and (b) reaching consistency when a member user ''u wants '' leaves. Case (b) may be viewed as a special instance of case (a) plus the additional premise that ''u'' must reach consistency as soon as possible (because they want to partleave), and that they send a don't care about reaching consistency for any subsequent messages that they might receive after their final "farewell" message m:.
* Everyone should explicit-ack this message ASAP** This message should contain the next-sender-key, to be used after u leaves, encrypted to everyone except u. This ensures old members canCase '''t read new messages even if they eavesdrop.** (We could probably do something similar for group keys.a)* When this message is fully-acked, u gains consistency for all previous messages up to m, and may leave.** Other messages should be probably be discarded - u won't have a chance to verify their consistency.* TBD'': need to think about simultaneous parts When when a member ''u '' accepts a non-explicit-ack message ''m '' at time ''t'':
* if u did not send m, and they have not acked m by t+ACK_GRACE_INTERVAL, they should send an explicit-ack
* if m is not fully-acked (from their POV) by t+(2*BROADCAST_LATENCY)+ACK_GRACE_INTERVAL then issue a local UI warning. Cancel the warning if/when full-ack is reached later.
 
Case '''(b)''': when a member ''u'' wants to part, they send a "farewell" message ''m'':
 
* Everyone should explicit-ack ''m'' as soon as they receive it from the server.
** This ack may also bundle any cryptographic material needed for other members to agree on a key or keys that exclude ''u''. For example, in the SenderKeys scenario, this would contain the next sender-key, encrypted to everyone except ''u''.
* When ''m'' is fully-acked, ''u'' reaches consistency for all previous messages up to ''m'', and may leave.
* Messages that others send to ''u'' that are echoed back after ''m'', will not be acked by ''u''.
** ''u'' won't have a chance to reach consistency for these messages, even if ''u'' receives them.
** Others won't have a chance to check that ''u'' read them, though they may be able to check that everyone else did. But ''u'' may still read them in theory, since they were encrypted to ''u''.
** In either case, communicating this meaning to the user, should be already covered by the same UI as for case (a). In the first case, ''u'' may shortcut the timeout and just issue the warning straight away, or alternatively not display those messages to the user at all.
* TBD: need to think about simultaneous parts
=== Parameters and properties ===
Dmitri
Bureaucrat, emailconfirmed, administrator, translator
662
edits
Retrieved from "https://learn.equalit.ie/wiki/Special:MobileDiff/824...1564"