group-income icon indicating copy to clipboard operation
group-income copied to clipboard

Published 20 hours ago verified publisher icon okTurtles

Move identity contract's attributes into the group profile in the group contract

Open taoeffect opened this issue 3 years ago • 4 comments

Problem

Right now things like the user's display name, email, and profile picture are stored in the identity contract.

This doesn't make sense given our overall design because:

  • If we store this info using unencrypted actions, then it's public and the server has access to it. That's not something we want by default.
  • If we store it using encrypted actions, then nobody except the user themselves can see it, which kinda defeats the purpose.

Solution

Move all of this stuff (that other group members need to be aware of) to the group contract and store it under the group profile instead.

~~EDIT: Actually, that might not be the right thing to do. See comment below.~~

EDIT2: added conclusion here

taoeffect avatar Jul 23 '21 01:07 taoeffect

One question @taoeffect, are you sure that only group members are those who will try to access?

Silver-IT avatar Dec 07 '21 02:12 Silver-IT

@Silver-IT That's a great question. I'm actually not 100% sure. I could be mistaken actually - it might be that we could run into situations where we want some this information to be public.

Examples include:

  • Displaying a full name or a profile picture in direct messages between members outside of groups
  • Displaying a full name or a profile picture in public chats

On the other hand, people's email addresses probably should be private. Exposing such information publicly is probably not the best idea.

However, in that case maybe it's still better to keep in the identity contract, but encrypted, and reveal it only in special situations, for example, sharing it with a server if a user wants email notifications.

Your comment makes me realize that this issue really should be saved until much later. So I'm going to unassign you and re-assign to me, and add Note:Discussion and Note:Research labels to this.

taoeffect avatar Dec 07 '21 03:12 taoeffect

Thanks, @taoeffect. I got it.

Silver-IT avatar Dec 07 '21 04:12 Silver-IT

OK, after more discussion today with @corrideat and others, we've reached the following conclusion:

  • We definitely should move the profile to the group profile. This keeps important information like display names and profile pictures private by default, while also simplifying the e2e key management.
  • We can still additionally keep a copy of this information in the identity contract too - encrypted. The values in the identity contract can be used to populate the defaults for the group profile when users join a new group. And when we initiate DMs with members who are outside of our group, we can (later on) choose to share this info with those people we're chatting with in an encrypted way (similar to what Signal does). And - this method also allows us the freedom to allow users to to optionally voluntarily make their profile info publicly visible.

taoeffect avatar Oct 25 '22 00:10 taoeffect

After giving this more thought and discussing with @corrideat, we've decided that we are not going to move this information to the group profile because that would negatively impact our ability to facilitate DMs between people outside of the group context (e.g. between people in different groups, or even different apps).

So we'll keep this profile information in the identity contract and keep it encrypted, and will encrypt it with a read-only key that is shared upon DM creation. I will open a separate issue for that after closing this one.

taoeffect avatar Apr 15 '23 17:04 taoeffect