Prepare on-site architecture workshop

Problem

We need to prepare our on-site workshop.

Goal

Let's define who prepares what to that we have a good starting point for our discussions.

Goal of the workshop: After the workshop, we have a rough common understanding about how we approach our largest architecture questions. This enables us to plan ahead for the second half of our initial 12 month project phase (~ Janurary to May 2026) and identify key results for each architecture question (e.g. "We need to create an MSC", "we need to create an ADR", "we just need to create issues and implement this").

ACs

  • Everyone prepared at least one topic for our workshop.

Notes/ resources

Topics

Based on our notes, we prepared a list of topics to discuss during our on-site workshop:

[20'] [@holz] Architecture documentation options

  • Goal: Let's build a common understanding when we need ADRs and what other options we have to document architecture concepts

[90'] [@kim, @TheOneWithTheBraid] Matrix account creation and crypto bootstrap

  • Goal: Let's discuss different approaches when and where Matrix accounts and crypto material are created
  • Matrix account creation: #251
  • Crypto bootstrap: ?

[90'] [@TheOneWithTheBraid] Cryptographic access recovery (trust against own devices)

  • Goal: Discussion of possible approaches
  • Questions: How to deal with loss of all of our devices? How to avoid loss of crypto keys?

[120'] [@networkException] Between QR Codes, eID and id.bund.de - How to get sessions and keys from a to b

  • Goal: Build common understanding of our auth flows and identify questions we need to answer, as well as ADRs we need to create, concepts we need to document
  • Questions:
    • Do we transfer eID trust (more similar to cross signing) or prompt for rescanning the ID (more similar to an initial login)?
    • Can we realize a device switch without interaction with the BundID backend? (MAS session handover to 2nd device, see MSC 4108)
    • Session lifetime (per device) also for device verification and future messages
    • Bundle eID authentications -> We want PIN first and scan the eID multiple times for the multiple levels of auth- and verification we need.
  • see also: solution-architecture!15 (comment 460381)

[45'] [@TheOneWithTheBraid] Device verification (trust against other participants)

  • Goal: Update everyone on the current state of the discussion

[30'] [@kim] User Profile Privacy

  • Showing the conversation partners each other's profile (Name, etc) without breaking unlinkability
  • Related to device verification
  • Matrix vs. Signal

[60'] [@kim] Implement trust levels with Matrix

  • Goal: Discuss and agree on our approach on how to implent this
  • Design goal: Government agencies can send messages on different trust levels. Citizens can access messages only when authenticated on the messages's trust level (or higher).
  • Solution approach 1: Government agencies share keys after user authenticates.
  • Solution approach 2: Different homeservers for different trust levels.
  • Questions: Can our backend withhold encrypted keys until user authenticated?

[20'++] [@Yan] Integration of BundID/SAML into MAS? What would we win?

  • Goal: Decide if we want to follow this approach.

[30'] [@holz/ @networkException] Define room management and power levels (room creator)

  • Goal: Brainstorm ideas about these topics
  • Questions: 1 room per user-agency-combination or 1 room per case? Can this be used for denying message sending? -> #296

[90'] [@holz] Pseudonymous / sector-/service-/agency-specific identifiers #199 (previous "unlinkability and trust")

  • Goal: Common understanding of different design goals and possible approaches
  • Design goal 1: Unlinkability of users across different Fachbehörden
  • Design goal 2: Hide communication partners within our infrastructure (BundID, FIT-Connect, ...)
  • + Kegan, Matthew

[90'] [@holz] Bridge for existing messages / ZBP BE to Matrix server migration (#17)

  • Goal: Common understanding of goal and possible approaches
  • Questions: Do we encrypt? How? How do we deal with the "FIT-Connect Homeserver", if we were to not encrypt

[40'] [@holz] Integrate Neo into government apps (e.g. BayernApp)

  • Goal: Just get the idea into everyones head. No architecture discussion here

[60'] [@kim] Challenges in deleting accounts / messages / cases (GDPR-requirement)

  • Goal: Figure out what technical limitations we have (with a lack of clear legal requirements?)
  • Multi-server setup as challenge
  • Questions: Are legal requirements clear?

[30'] [@kim] bPK2

  • Questions: How to create a matrix ID and map to a BundID account if we cannot directly use bPK2

[backlog/themenparkplatz - @holz] Let's discuss our Epics together

  • Goal: Common understanding of our epics from an architecture point of view.

[backlog/themenparkplatz] Threat Modelling

  • Goal: Start working on this

Agenda

Mon

  • Orga: Heute bis 16 Uhr. Abreise Do/Mi. Essen gehen am Mittwoch! Blick auf die Agenda
  • [20'] [@holz] Architecture documentation options
  • [90'] [@holz] Bridge for existing messages / ZBP BE to Matrix server migration (#17)

Tue (+ Q)

  • [30'] [@networkException] Introduction - When, where and how do our keys live? Let's design a device & key state machine
  • [90'] [@kim, @TheOneWithTheBraid] Matrix account creation and crypto bootstrap
  • [60'] [@kim] Implement trust levels with Matrix
  • [30'] [@kim] User Profile Privacy
  • [30'] [@holz/ @networkException] Define room management and power levels (room creator)
  • [90'] [@holz] Pseudonymous / sector-/service-/agency-specific identifiers #199 (previous "unlinkability and trust")

Wed (+ P & Q)

  • [90'] [@networkException] Introduction - Between QR Codes, eID and id.bund.de - How to get sessions (and keys) from a to b
  • [45'] [@TheOneWithTheBraid] Device verification (trust against other participants)
  • [90'] [@TheOneWithTheBraid] Cryptographic access recovery (trust against own devices)
  • [30'] [@Yan] Integration of BundID/SAML into MAS? What would we win?
  • [30'] [@kim] bPK2 / MX ID generation

Thu

  • [40'] [@holz] Integrate Neo into government apps (e.g. BayernApp)
  • [60'] [@kim] Challenges in deleting accounts / messages / cases (GDPR-requirement)
  • [backlog/themenparkplatz - @holz] Let's discuss our Epics together
  • [backlog/themenparkplatz] Threat Modelling

Who needs to be involved / informed

  • reviewers:
  • involved:
  • informed:
Edited by Marco Holz