Initial Conversational Security Specification

[oskarth]

This should give an overview of how we provide conversational security in Status.

See https://github.com/status-im/specs/blob/master/x6.md for current draft (kudos to @cammellos @PombeirP), as well Adam's initial spec.

The main issue with the current PFS whitepaper is that it treats PFS as a special thing, as opposed to talking about conversational security more generally (this might be more of a naming thing though - in any case it shows that we think of PFS as something (too) special). It's also not clear enough in terms of what guarantees we always make. We might also want to mention aspects like PCS.

As well as general evaluation based on SoK Secure Messaging, see inline doc.

Acceptance criteria

• [ ] Someone can read this and implement a Status client (including links to other specs)
• [ ] They should clarify what security guarantees the protocol(s) provide and don't provide
• [ ] As well as what each protocol/layer requires and provides
• [ ] They should be described as orthogonal pieces, so if someone wants a different transport that should ideally require minimal tweaks to the protocols

In terms of who will judge, it'll be 2-3 main groups initially:

• [ ] Ourselves in protocol group
• [ ] Client implementers (Core, Embark and Nimbus people i.e. status-js and Stratus)
• [ ] Core dev calls participants

Questions spec should answer

Security and Privacy

Confidentiality Integrity Authentication Participant Consistency Destination Validation Forward Secrecy Backward Secrecy Anonymity Preserving Speaker Consistency Causality Preserving Global Transcript Message Unlinkability Message Repudiation Particip. Repudiation Adoption

Out-of-Order Resilient Dropped Message Resilient Asynchronicity Multi-Device Support No Additional Service Group chat

Computational Equality Trust Equality Subgroup Messaging Contractable Expandable

Example technologies

Trusted servers (mailservers?) Double ratchet X3DH Prekeys

Also note that multidevice fits here, fyi @decanus

[oskarth]

@adambabik @decanus fyi updated

[oskarth]

Connecting with this issue that is related https://github.com/status-im/bigbrother-specs/pull/7#issuecomment-486925514

[oskarth]

Elaborate more on bid process https://github.com/status-im/status-react/blob/c9994b5d0f72377ec51000541e6b02500f8430f5/src/status_im/utils/clocks.cljs

[oskarth]

Largely done; closing as no longer relevant. If we want to do further QA of specs, I suggest we do this through more specific issues.