MSC3757: Restricting who can overwrite a state event

[andybalaam]

Rendered

Implementations:

• Support MSC3757: Restricting who can overwrite a state event element-hq/synapse#17513
• rtc: Handle non-MXID call member event state keys matrix-rust-sdk#3836
• Loosen type of call member event state keys ruma/ruma#1885

Written by @ara4n , with contributions from @Johennes and @andybalaam .

Shepherd: @AndrewFerr

---

SCT Stuff:

FCP tickyboxes

No MSC checklist.

Status: "At risk" due to:

• Multiple unresolved threads.
• Multiple unaddressed non-trivial concerns raised which block FCP.
• A non-zero number of SCT members disagree with this proposal's approach.
• The above compounded by time: it's been a long while since FCP was proposed, and a long while since threads were opened.

Next steps: the SCT should review the MSC as a group and determine how to proceed. Potential outcomes are FCP-closure, cancellation of FCP, or unblocked forward movement towards merge.

[ShadowJonathan]

One nit, else this looks sound.

[turt2live]

My general concern is that we already have JSON available to us, so we should use that. String packing works in areas where we don't have as fine control (voip call candidates, for example), but for something like this we can and should afford fields.

[andybalaam]

Since the SCT came down on the side of this proposal vs MSC3760 I consider this resolved. Please unresolve if you disagree.

[clokep]

I'm not sure where the conversation about the SCT preferring this over MSC3760 happened, but I'm strongly against the current proposal. String packing is going to cause bugs, having separate fields seems better in every sense.

Hence my concern I've left about insufficient alternatives being explored.

[AndrewFerr]

@mscbot concern Alternatives insufficient explored.

deba3b82..e16482ab re-examines the alternative of the m.peer_unwritable flag.

[turt2live]

This proposal requires re-review from several SCT members and adjacent folks. The priority is a bit unclear to me, but that is a different problem (see room).

[clokep]

On the Apache voting scale, I'm at a -1.0 for how the MSC is currently written. A stronger rationale for why this is needed now and strong discounting of a top-level ACL structure would change this to a -0.9 (sorry, I'm just not in favour of string packing here).

This is still the crux of this proposal and I'm in agreement with @turt2live that I'm a -1 for the string packing.

[AndrewFerr]

Maybe it's worth having a new MSC to explore one of the top-level field alternatives:

• Event ownership flag
• Owning user ID field

[clokep]

Maybe it's worth having a new MSC to explore one of the top-level field alternatives:

* [Event ownership flag](https://github.com/matrix-org/matrix-spec-proposals/blob/andybalaam/owner-state-events/proposals/3757-restricting-who-can-overwrite-a-state-event.md?rgh-link-date=2024-12-10T20%3A16%3A47Z#event-ownership-flag)

* [Owning user ID field](https://github.com/matrix-org/matrix-spec-proposals/blob/andybalaam/owner-state-events/proposals/3757-restricting-who-can-overwrite-a-state-event.md?rgh-link-date=2024-12-10T20%3A16%3A47Z#owning-user-id-field)

Maybe MSC3760 or MSC3779 was supposed to be that? (3760 appears to be very similar to this.)

[andybalaam]

Maybe MSC3760 or MSC3779 was supposed to be that? (3760 appears to be very similar to this.)

Yes, MSC3760 was an alternative without string-packing. MSC3779 is different: it is intended to allow low-power users to create these state events.

[richvdh]

Is this conversion between prefixed and unprefixed state keys a real requirement? It seems to lead to a lot of complexity.

If we're doing this, I'd be inclined to just increase max state key length to (say) 512 bytes, and be done with it.

[dbkr]

I think I was thrown off a bit by the explanation involving currently-valid state keys and thinking that this implied wanting to user-namespace currently state keys. Really the point is simply that, with a maximum length user ID, you need some space to fit something on the end, so yeah, I'd say just keep it simple & double state key length.

[richvdh]

I'd say there's a strong argument for making this a separate MSC, rather than trying to fix two things at once.

[richvdh]

Revisiting this a few months later (sorry), I still find my suggestion clearer.

[richvdh]

@mscbot resolve concern changes to auth rules are unclear

[mscbot]

Unknown concern 'concern changes to auth rules are unclear'.

[richvdh]

@mscbot resolve changes to auth rules are unclear
@mscbot resolve issue of state event proliferation requires discussion

[turt2live]

Concerns-I-have-raised update:

@mscbot resolve Alternatives section is missing some alternatives.
@mscbot resolve Specific alternative of top-level access control is not sufficiently discounted.

Introduction does not sufficiently list benefiting MSCs/features.

The introduction currently relies on location sharing to drive it, which is a deprioritized feature at the spec level. I highly suggest adding the VoIP impact to the introduction to naturally drive this MSC up the list.

Insufficient implementation - Complement tests are required for this MSC.

This still appears to be the case.

[AndrewFerr]

Introduction does not sufficiently list benefiting MSCs/features.

The introduction currently relies on location sharing to drive it, which is a deprioritized feature at the spec level. I highly suggest adding the VoIP impact to the introduction to naturally drive this MSC up the list.

2a77266

Insufficient implementation - Complement tests are required for this MSC.

This still appears to be the case.

Is matrix-org/complement#733 not sufficient?

[Xiretza]

This part can most charitably be described as an awful hack. There should never be a reason to encode multiple independent values into a single string field inside a structured data format like JSON, let alone then enforcing strict length limits on different parts. No, this is terrible, the section "Multi-component state keys" describes what a real solution would have to look like.

[dbkr]

But above you've said that resolvable domain names with underscores exist: wouldn't this allow the attack you talk about below?