Create xip-35-message-sender-signature.md #35
+60
−0
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| --- | ||
| xip: 35 | ||
| title: Message sender identifier in topic | ||
| description: A system for detecting who sent a message in a topic from the Notification Server | ||
| author: Noé Malzieu | ||
| status: Draft | ||
| type: Standards Track | ||
| category: XRC | ||
| created: 2023-12-06 | ||
| --- | ||
|
|
||
|
|
||
| ## Abstract | ||
|
|
||
| This XRC proposes to add a signature to public envelopes for messages, that a notification server could use to detect if one of the subscribed users has sent the message and not send him the notification (i.e. avoid receiving notifications for your own messages). | ||
|
|
||
| ## Motivation | ||
|
|
||
| Right now, a message sent in a topic needs to have its payload decoded to understand who sent the message. | ||
| When a notification server sees a message in a topic and decides to sent it to one of its subscribers, it has no way to know if the message is from the subscriber or not. | ||
| This means a mobile XMTP client will subscribe to a topic then receive notifications for its own messages in the topic. | ||
| This would be fine if the XMTP client could just drop the notification after having decoded the payload. | ||
| On Apple devices, to be able to decode the payload before showing the notification, we must use a [Notification Service Extension](https://developer.apple.com/documentation/usernotifications/unnotificationserviceextension) - and the only way to drop a notification from a Notification Service Extension is to obtain a specific entitlement from Apple: [com.apple.developer.usernotifications.filtering](https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_usernotifications_filtering) | ||
| Obtaining this entitlement from Apple has proven very hard - they might consider XMTP clients too web3, and they just don't provide this entitlement to apps that provide financial services. | ||
| Specifically, Coinbase Wallet never managed to obtain this entitlement, and Converse had it for a few months before losing it. | ||
|
|
||
| ## Specification | ||
|
|
||
| The SDKs would generate a private/public key pair for each topic. | ||
| The private/public key pair should always be the same for a given user and a given topic - not dependent on installations / SDK language. | ||
|
|
||
| Before publishing an envelope on a topic, the SDK would use the topic private key to sign the message payload and attach it to the envelope. | ||
|
There was a problem hiding this comment. It's important to note that the public key of the user's signing key would be private between the user's devices and the notification server. Third parties would not be able to validate that the signatures originate from the actual sender and were not forged. |
||
|
|
||
| The envelope of a message would be updated to | ||
|
|
||
| message Envelope { | ||
| string content_topic = 1; | ||
| uint64 timestamp_ns = 2; | ||
| bytes message = 3; | ||
|
|
||
| optional string signature = 4; // New field added | ||
| } | ||
|
|
||
| When the client subscribes to a topic on its notification server, it would also provide the topic public key to the notification server. | ||
|
|
||
| When the notification server sees a message in a specific topic, it would do the following | ||
|
|
||
| 1. Check if it has clients that have subscribed to this topic | ||
| 2. For each client that has subscribed to the topic, try to verify the signature using the public key the client has provided when subscribing to the topic | ||
| 3. If the signature is verified, it means that the message was indeed sent by this person (not necessarily from this client) and the notification server can decide wether to send the notification or not (could be a parameter configured by the developper) | ||
|
|
||
| ## Backwards Compatibility | ||
|
|
||
| Notification server should allow subscribing to topics without sending a public key. This client would then receive all notifications. | ||
|
|
||
| Notification server should also parse envelopes that don't have any signature. These messages would be sent to every client that subscribed to the topic, wether they provided a public key for this topic or not. | ||
|
|
||
| ## Copyright | ||
|
|
||
| Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/). | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My suggestion would be that each user would have a signing key that would be synced between their devices for v1/v2 and be per-installation and not synced for group chats/v3. We would generate a per-topic key by doing
HKDF(root_key, salt=$topic).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I get the difference between an "installation" and a "device"?
Goal being that I generate the same per-topic key on Coinbase Wallet & Converse
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Installation" is a little more specific than "device", because in the XMTP case there can be multiple different apps (Coinbase Wallet, Converse) installed on the same device. We sometimes forget and use the word "device" interchangeably, because a lot of the literature uses that term.
@neekolas's suggestion would work for this - the signing key is synced to all installations, and all installations perform the same
HKDFto get the same per-topic key.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I understand this proposal for v3. The per-topic key needs to be the same among all installations, so what is "root_key" referring to here?