MSC4291: Room IDs as hashes of the create event

[ara4n]

Rendered

(Written by Matthew as Matrix project lead (while on the clock as Element CTO) and Kegan as Element staff eng)

---

SCT Stuff:

FCP tickyboxes

MSC checklist

[turt2live]

Implementation requirements:

• Server - [WIP] MSC4291 implementation element-hq/synapse#18685
• Evidence of clients not crashing

Some clients to test/verify (incomplete list):

• matrix.to web
• Element Web (/Desktop)
• Legacy Element Android
• Legacy Element iOS
• matrix-rust-sdk
  • Element X Android
  • Element X iOS
  • Fractal
• Cinny
• Nheko
• Quotient/Quaternion
• NeoChat
• Rory&::LibMatrix
• matrix-bot-sdk (both Element fork and upstream; covers most moderation tooling/bots)
• Draupnir
• Hydrogen

[Gnuxie]

Draupnir will crash, and please do not assume that ticking off the matrix-bot-sdk will cover us in future. We have our own infrastructure for parsing matrix events and matrix identifiers.

• https://github.com/the-draupnir-project/matrix-basic-types includes parsing and type brands for matrix identifiers (potentially illegally in the case of room identifiers, but we do so because it is important for us to be able to identify the origin of rooms).
• https://github.com/Gnuxie/matrix-protection-suite/ parses events, and will crash if room_id is removed from the top level of events. Not sure whether that specifically is illegal or not. We have a tolerant strategy for handling other fields that don't match the schema (including all content), but this isn't the case for room_id and event_id.

[zecakeh]

Fractal doesn't crash with the changes in this MSC.

[turt2live]

matrix.to appears to overly validate the room ID:

[TheArcaneBrony]

Resolved in Rory&::LibMatrix as of https://cgit.rory.gay/matrix/LibMatrix.git/commit/?id=c39d18efd0e6a610d2dc29832407e99e0079bc13

[turt2live]

MSCs proposed for Final Comment Period (FCP) should meet the requirements outlined in the checklist prior to being accepted into the spec. This checklist is a bit long, but aims to reduce the number of follow-on MSCs after a feature lands.

SCT members: please check off things you check for, and raise a concern against FCP if the checklist is incomplete. If an item doesn't apply, prefer to check it rather than remove it. Unchecking items is encouraged where applicable.

Checklist:

• Are appropriate implementation(s) specified in the MSC’s PR description?
• Are all MSCs that this MSC depends on already accepted?
• For each new endpoint that is introduced:
  • Have authentication requirements been specified?
  • Have rate-limiting requirements been specified?
  • Have guest access requirements been specified?
  • Are error responses specified?
    • Does each error case have a specified errcode (e.g. M_FORBIDDEN) and HTTP status code?
      • If a new errcode is introduced, is it clear that it is new?
• Will the MSC require a new room version, and if so, has that been made clear?
  • Is the reason for a new room version clearly stated? For example, modifying the set of redacted fields changes how event IDs are calculated, thus requiring a new room version.
• Are backwards-compatibility concerns appropriately addressed?
• Are the endpoint conventions honoured?
  • Do HTTP endpoints use_underscores_like_this?
  • Will the endpoint return unbounded data? If so, has pagination been considered?
  • If the endpoint utilises pagination, is it consistent with the appendices?
• An introduction exists and clearly outlines the problem being solved. Ideally, the first paragraph should be understandable by a non-technical audience.
• All outstanding threads are resolved
  • All feedback is incorporated into the proposal text itself, either as a fix or noted as an alternative
• While the exact sections do not need to be present, the details implied by the proposal template are covered. Namely:
  • Introduction
  • Proposal text
  • Potential issues
  • Alternatives
  • Dependencies
• Stable identifiers are used throughout the proposal, except for the unstable prefix section
  • Unstable prefixes consider the awkward accepted-but-not-merged state
  • Chosen unstable prefixes do not pollute any global namespace (use “org.matrix.mscXXXX”, not “org.matrix”).
• Changes have applicable Sign Off from all authors/editors/contributors
• There is a dedicated "Security Considerations" section which detail any possible attacks/vulnerabilities this proposal may introduce, even if this is "None.". See RFC3552 for things to think about, but in particular pay attention to the OWASP Top Ten.

[joshqou]

This proposal on it's own is fine if changed slightly, however packaging it alongside a mandatory security-related version bump is very neglectful behaviour towards both paid and unpaid maintainers of matrix software. There are many legitimate reasons as to why origin homeservers should be identifiable just from their room id, some of which are specifically outlined in this proposal, however are ignored in favour of breaking many moderation tools for... a very specific edge-case where a server gains knowledge of a room which could only be created by a malicious server?

I don't see any reason as to why this new format wouldn't be able to retain all of the existing information while also providing protection against impersonation or id "downgrading". i.e: !:example.com@$createid

Given those at the foundation and at element have given their approval I doubt anything can be said or done that would change this MSC in any way, however I am leaving this comment in spite of that to voice my own disapproval.

[mscbot]

The final comment period, with a disposition to merge, as per the review above, is now complete.

[turt2live]

(FCP is actually not finished due to outstanding comments)

[turt2live]

Review feedback from the last several days, including from various rooms, has been addressed and as such the FCP is now finished.