In the messaging space it is common for apps to expose exactly 1 chat for a conversation between two users, and in some cases a specific set of users. Matrix currently does not adequately support this as it allows for multiple rooms to represent a DM between two users. Although supporting multiple chats with individuals is potentially useful for some use cases, clients are increasingly wanting to be able to support exactly one DM for a user.
Any messaging app is likely to want to differentiate DMs from all the noise, and Riot in particular is looking at using the DM between users for a more personal experience within the app (such as key verification between users). This proposal focuses on immutable DMs between users to assist in identifying the "One True DM" between users and prevent the room's scope from increasing.
For comparison to Matrix, the following chat apps/platforms all support and encourage a single DM between users. They all redirect the user to an existing chat with the target user, creating a new DM if needed.
- Slack
- Discord
- IRC
- Telegram
- Gitter
- Facebook Messenger
- Hangouts
- Rocket.Chat
- Steam
- SMS
- and probably many others...
Platforms which allow/encourage users to have multiple DMs with a specific person are:
- Matrix (currently)
- XMPP (technically speaking)
This proposal covers how servers enforce exactly one DM (ideally immutable) between a set of users. Clients have some responsibilities to render this appropriately, however the server is expected to do most of the heavy lifting here. Immutable DMs are direct chats between users where the participants can't change the room's aesthetics. For example, users can't change the name or topic of the room, and they'll always be DMs.
This proposal supports "direct chats" or "DMs" in the sense of private conversations with a set of users. This means that a DM between 3 users is possible, however the common case is likely to be 1:1 (2 person) chats.
Immutability of DMs is also proposed in this MSC, however as an optional feature of DMs and not a requirement.
In short, the entire direct chat module in Matrix is deprecated by this proposal. The direct chat module relies on clients behaving themselves and tracking all the information for themselves while somehow coming to the same conclusions as any other client the user happens to run. In practice this becomes very difficult to do and maintain, particularly given the direct chats are stored in an account data blob. If two clients were to update the account data at the same time (which happens a lot), the clients would end up overwriting each other.
Direct chats consist of "important" and "unimportant" users to allow for bots and personal assistants in a chat. Unimportant users don't affect the DM-ness of the room and are essentially observers on the room (with speaking rights). How classification is done is defined later in this proposal.
Direct chats are now expected to be identified and labelled by the server through the summary
response field on /sync
. The m.heroes
MUST contain the important users in a DM, regardless
of the presence of a name, canonical alias, etc on the room. The heroes must never be truncated
for a DM, and must not contain the syncing user's ID. A new field, m.kind
, is mandatory for
direct chats which can only be m.dm
. Future values may be added in a future proposal. Like
the other fields in the summary, m.kind
may be omitted if there was no change in the field.
For the purposes of demoting a DM from its DM status, m.kind
can also be the literal null
to identify it as "unknown or irrelevant kind".
Implementation note: clients can identify whether a room is a 1:1 or multi-way chat by looking
at the m.kind
and m.heroes
: if the kind is m.dm
and there's only 1 user in m.heroes
then the room is a 1:1 chat. If the kind is m.dm
and there's 2+ users in the m.heroes
then
it is a multi-way/private group chat.
Implementations should also be wary of semantics regarding what causes a room to jump between a multi-way DM and a 1:1 DM. Users can be invited (and joined) to either kind of room without causing the room to jump to a different kind: for example, a 1:1 chat can have several unimportant users in it (bots, etc) which do not make it a multi-way DM. Similarly, if an important user were to leave a multi-way DM the room does not become a 1:1 DM. This is all described in further detail later in this proposal.
With irrelevant fields not included, an example sync response would be:
{
"rooms": {
"join": {
"!a:example.org": {
"summary": {
"m.heroes": ["@alice:example.org"],
"m.joined_member_count": 1,
"m.invited_member_count": 1,
"m.kind": "m.dm"
}
},
"!b:example.org": {
"summary": {
"m.heroes": ["@bob:example.org"],
"m.joined_member_count": 2,
"m.invited_member_count": 0,
"m.kind": "m.dm"
}
},
"!c:example.org": {
"summary": {
"m.heroes": ["@alice:example.org", "@bob:example.org"],
"m.joined_member_count": 3,
"m.invited_member_count": 0,
"m.kind": "m.dm"
}
},
"!d:example.org": {
"summary": {
"m.joined_member_count": 5,
"m.invited_member_count": 2,
}
}
}
}
}
Clients rendering the above should end up with something like the following:
Servers are expected to be able to identify direct chats for users and flag them appropriately in the room summary. How existing DMs are migrated is covered later in this proposal. The server must use these rules to determine if a room is a direct chat:
- The join rules are
invite
. - The rejoin rules are
invite
orjoin
(as per MSC2213). - The user's most recent membership event has
"m.dm": true
in thecontent
. - The room has an explicit power level event (running a DM without a PL event is not supported).
- The room has at least 2 possible important users (who may or may not be joined yet).
- The user themselves is important in the room.
- The room is not tombstoned.
- The room is not soft-tombstoned by the server (described later in this proposal).
- No important users have been banned. Kicking or leaving the room does not affect the DM-ness of the room.
Assuming no other conflicts arise (duplicate chats, etc) the room is considered a DM between
the important users in the room. Important users are identified simply by having a power level
greater than or equal to the state_default
power level requirement.
The server MUST maintain the m.dm
flag when updating or transitioning any user's membership
event. The server SHOULD refuse to let the user manipulate the flag directly through PUT /state
and similar APIs (such as inviting users to a room). Servers MUST consider a value of false
the same as the field not being present.
Servers are not expected to identify a room as a direct chat until the server resides in the
room. Servers MUST populate the room summary for invites if the server is a resident of the
room. Clients SHOULD use the room summary on invites and joined rooms to identify if a room
is a direct chat or not. Where the summary is not available and an m.dm
field is on the
invite event, clients should be skeptical but otherwise trusting of the room's DM status.
For example, a skeptical client might list the room with a warning stating that the room
is flagged as a DM without being appropriately decorated, but not prevent the user from
accepting the invite.
Servers MUST attempt to identify (or re-affirm) rooms as a DM whenever the relevant state events in the rules above change or are updated.
Soft tombstoned rooms are rooms which are considered tombstoned without an actual tombstone state event being present. This is typically used to flag rooms where tombstone events cannot be sent as tombstoned. This proposal goes into more detail on this a bit later.
Unless an important user is banned, the DM is still considered alive and should be able to be rejoined even if some important people were to leave. However, there's a good chance that when all important users leave that the room becomes unjoinable and therefore dead. To help combat this, servers should approach rooms where important users have left with caution by assuming the room cannot be brought back to life.
If MSC1777 or similar were to land, the server should abuse the capability to determine how alive the room is. By refreshing its perspective, it can avoid scenarios where it has to make assumptions about the state of the room it is no longer in. The server should never autojoin the user to the room, regardless of MSC1777 support or not.
The following cases are reinforcement reading for the conditions mentioned so far. They describe how the server is expected to behave given a common scenario - not all scenarios are covered here.
Case 1: The DM resides on a single homeserver: when all important users leave the DM, the DM is to be considered soft-tombstoned for those users. This will cause a new DM to be created. The presence of unimportant users can be enough for a homeserver to consider the room not dead and therefore rejoinable.
Case 2: The DM resides on 2+ homeservers: this gets a bit tricky. When the last important user leaves, that homeserver would not have visibility on the room anymore but does not have enough information for it to be tombstoned (soft or otherwise). Another server can still rejoin the room due to unimportant users being left behind, or keep the room alive without the other homeserver continuing participation. The homeservers involved will still converge on the room when other conversations start.
Case 3: A duplicate DM comes in for a room the server has left: when the server does not have visibility on the members of a room anymore it cannot tombstone newly created rooms and point to the room it can't see. If the server happens to be a resident of the room, it can absolutely tombstone the new room in favour of the old room, even if the server's membership is just unimportant users and the important users having left. When the server does encounter an invite for a DM which duplicates a room it has left, it must assume that its perspective of the older room is antiquated and that something happened to cause a new invite to come in. After joining, if a server happened to tombstone the room to point to the older room then the user could then try and join the room and refresh the server's perspective.
Note: Originally case 3 had a step for the server to autojoin the user into the existing room to refresh its state, however this left a glaring hole for abuse to filter its way down to a given user.
The room creation preset trusted_private_chat
is deprecated and to be removed in a future
specification version. Clients should stop using that preset and instead use the new endpoint
for creating DMs, as defined here.
POST /_matrix/client/r0/create_dm
:
This is mostly a clone of /createRoom
with the unnecessary parts left behind. This does not
replace /createRoom
. This requires authentication and can be rate-limited.
Request parameters (JSON body):
room_version
(string
) - The version to create the room with. Same asroom_version
from/createRoom
.invite
([string]
) - The list of user IDs to invite to the room. Same asinvite
from/createRoom
with the added behaviour described below.invite_3pid
([3pid invite]
) - The list of 3rd party users to invite to the room. Same asinvite_3pid
from/createRoom
with the added behaviour described below.creation_content
(object
) - Additional content for the creation event. This is also the same ascreation_content
from/createRoom
.
Note: name
, topic
, visibility
, room_alias_name
, initial_state
, preset
, is_direct
,
and power_level_content_override
are all intentionally excluded from the clone. There is no
preset support, aesthetic characteristics of the room (name, topic, etc) are not supported for
immutable DMs under this MSC, and the remaining fields do not have strong use cases for DMs -
clients can always send state event updates after creating the room, for instance.
Response (JSON):
The server creates the room similar to how /createRoom
operates:
-
An
m.room.create
event is created, as ism.room.power_levels
using the defaults. -
Join rules of
invite
are set with a rejoin rule ofjoin
, as per MSC2213). This is to allow DMs to be re-used (described later) without sacrificing security of the DM by letting random people who were invited at some point into the room. -
History visibility of
invited
is set. -
Guest access of
can_join
is set so that guests can be included in DMs where needed. -
Encryption is enabled by default using the most preferred megolm algorithm in the spec. Currently this would be
m.megolm.v1.aes-sha2
. -
Power levels with the following non-default structure are set:
{ "events_default": 0, "state_default": 50, "users_default": 0, "ban": 50, "invite": 50, "kick": 50, "redact": 50, "notifications": { "room": 50 }, "events": { "m.room.name": 100, "m.room.avatar": 100, "m.room.topic": 100, "m.room.history_visibility": 100, "m.room.power_levels": 100, "m.room.join_rules": 100, "m.room.encryption": 100, "m.room.canonical_alias": 100 }, "users": { <see below> }, "third_party_users": { <see below> } }
This power level event is not applied until after the invites have been sent as otherwise it would be impossible to give third party users power. Servers should apply a default power level event to the room and then apply the power level event described here after the invites have been sent. Servers can optimize this process and use this power level event at step 0 of the room creation process if there are no third party invites to send. Users invited to the room get power level 50, including the creator.
- Third party users invited to the room get power level 50, as described by MSC2212 (see
later on in this proposal for how this works). Like the invited users, all third party
users invited as a result of the
/create_dm
call are considered important.
- Third party users invited to the room get power level 50, as described by MSC2212 (see
later on in this proposal for how this works). Like the invited users, all third party
users invited as a result of the
-
Users (3rd party and otherwise) are invited. Important users (those invited and the creator) MUST have
"m.dm": true
in their membership event content. Third party important users get the samem.dm
flag on theirm.room.third_party_invite
event contents.
Servers MUST return an existing room ID if the server already knows about a DM between the important users. The important users which have left the DM MUST be explicitly re-invited. If the user trying to create the room is not in the DM themselves, the server MUST try and re-join the user to the room. If the re-join fails, the server should create a new room for the DM and consider the existing one as soft-tombstoned.
The rationale for preventing either party from manipulating the room is to ensure that there is equal representation of the room from both parties (automatically named, automatic avatar, etc). Users generally expect that a DM will be predictably dressed for searching and scanning, meaning that the other parties cannot change the aesthetics of the room. For predictable history and privacy, the room's history & join rules are locked out from the users. The users can upgrade the room at any time to escape power level struggles, although this may not maintain the DM status.
Note: The private_chat
preset is untouched as it does not affect DMs. trusted_private_chat
was intended for DMs despite its name and is deprecated as a result.
Note: Servers are still expected to be able to identify DMs from /createRoom
, and clients
are able to craft DMs using /createRoom
. When this happens, servers MUST return an existing
room ID for a DM if one exists and it looks like the user is trying to create a DM through the
/createRoom
endpoint.
There is a potential for two users to start a DM with each other at the same time, preventing
either server from short-circuiting the /createRoom
call. Servers MUST NOT prevent users
from accepting or rejecting invites to known conflicting DM rooms. Servers SHOULD NOT retract
the invite and SHOULD NOT automatically join the user to the room. The rationale is that the
user is likely to have already received a notification about a room invite and would be
confused if the room went missing or was automatically accepted. Clients are welcome to adjust
their UX as desired to do something else instead (like automatically reject/accept the invite
or hide it when it is an apparent duplicate).
When the server joins a room it has identified as conflicting/duplicating an existing DM it MUST apply the conflict resolution algorithm:
- Order all the conflicting room's creation events by their
origin_server_ts
. - Pick the room with the oldest creation event as the canonical DM.
- Send a tombstone state event to the non-canonical DM rooms pointing at the canonical room.
- If the tombstone cannot be sent by the server due to auth rules, it must consider the room as "soft-tombstoned". A soft-tombstoned room is just a flag for preventing a room from being counted as a DM and has no further behaviour or implication in this proposal.
The rationale for picking the oldest creation event is it is likely the room with the most context for the user. It is possible that a malicious user intentionally creates a new room with an ancient creation event however there's very little gain in doing so. The algorithm is chosen such that any two servers come to the same conclusion on which room to use.
There may come a time where DM rooms need to be upgraded. When DM rooms are upgraded through the
/upgrade
endpoint, servers MUST preserve the content
of the previous room's creation event and
otherwise apply the immutable_dm
preset over the new room. If conflicts arise between
the previous room's state and the state applied by the preset, the preset takes preference over
the previous room's state.
Servers MUST create the new room by using the the room creation rules listed earlier in this proposal. This means inviting the other parties of the previous room to the new room automatically and ensuring the room state is as described above. Auth errors with transferring state (such as the room name) must be considered non-fatal to the upgrade process: just skip that state event.
Note: normally room upgrades modify the power levels in the old room in an attempt to mute all participants. However, no one will have power to modify the power levels in the old room. Therefore, servers MUST NOT fail to upgrade a room due to being unable to update the power levels in the old room. This is considered acceptable by this proposal because upgraded DM rooms will lose their DM status, making them at worst just another room for the user.
Servers should do their best to follow tombstones to new DM rooms, however they should not assume that those new rooms are valid DM rooms nor should they automatically join/invite the important users to the room.
Servers which implement this MSC prior to it appearing in a spec release MUST advertise as such
through the unstable feature flag m.immutable_dms
on /versions
. Clients which detect server
support should not only check for the feature flag but also the presence of a supported spec
version on the server (as the flag may disappear once the feature lands in a release). Currently
this proposal is expected to land in r0.6.0 of the Client-Server API.
Some servers have thousands and even millions of users which will need their DMs migrated. In
order to allow those servers to advertise the feature (both as an unstable flag and as a released
spec version) the client SHOULD assume that the server has not migrated its user's DMs until the
server sends the m.direct_merged
account data event. More information about migration can be
found in the next section.
Users already have DMs which need to be correctly mapped by the server. Servers MUST use the following process for migration for each user:
-
Grab a list of room IDs from their
m.direct
account data (if present). Ignore the user IDs that are associated with the room IDs. -
Identify each room as either a DM or some other room, flagging them as appropriate, using the following steps:
- If the room does not have a
rejoin_rule
, consider the rejoin rule asjoin
for the purposes of identification. - Identify the room using the rules specified earlier in this proposal.
- If the room did not have a
rejoin_rule
, attempt to set the rejoin rule tojoin
. If that fails, do not consider the room a DM. Note that this will not cause the rule to magically work on prior room versions: it is just set to ensure that the DM flagging conditions are met as they don't care for the behaviour, just the value being present.
Identification of DMs may involve conflict resolution, which should only happen after the steps above have been executed.
- If the room does not have a
-
Set
m.direct_merged
account data withcontent
consisting of a single array,rooms
, listing all the room IDs the server iterated over, regardless of result.
The server SHOULD support automatically migrating any additions to m.direct
even after migrating
the user. This is to allow for the user having an older client which does not yet support proper
DMs. Removals from m.direct
are recommended to be left unhandled to ensure consistency with the
updated DMs.
Clients SHOULD NOT assume that the server will migrate direct chats if the user's m.direct
account data does not list any rooms. This is more important for new accounts created after the
DMs feature has been introduced in Matrix: if the server had to set m.direct_merged
for every
user in the future, the server would be collecting largely useless data. Instead, the server is
given the option to skip migrations for users that have no data to migrate (such as new users).
Appservice users and some bots are unlikely to see the room summary information. In an attempt to combat this, some APIs are provided for users and thin clients to call and poke into the server's view of their DM list.
The expected use cases for not using /sync
are:
- When appservices want to contact a user in a DM fashion (IRC bridge sending NickServ info).
- When thin bots aren't syncing and want to alert users (monitoring bots triggered by external event).
- Clients which don't trust their local cache of DMs.
Appservices in particular are expected to heavily use the DM-finding API below and should cache the result. When the appservice sees an event which the server might have reidentified the room for it should invalidate its cache. Servers should make both of these endpoints highly cached.
GET /_matrix/client/r0/user/:userId/dms
The only parameter, :userId
, is the user ID requesting their DMs. The auth provided must be valid
for this user. Example response:
{
"dms": {
"!a:example.org": {
"important": ["@alice:example.org"]
},
"!b:example.org": {
"important": ["@bob:example.org"]
},
"!c:example.org": {
"important": ["@alice:example.org", "@bob:example.org"]
}
}
}
The important
array does not include the user themselves.
GET /_matrix/client/r0/user/:userId/dm?involves=@alice:example.org&involves=@bob:example.org
The :userId
is the user ID requesting their DMs - the auth provided must be valid for this user.
This additionally takes ?involves
(specified multiple times) to search for a DM involving the given
users. It should be considered a bad request if the user asks for a DM involving themselves.
Example response:
{
"room_id": "!c:example.org"
}
If no DM exists involving those users, an empty object should be returned with 200 OK.
Third party invites (email invites) are hard to handle as the participants in the room are unlikely to be able to modify the power levels in the room because the immutable DM preset forbids this by design. To remedy this, this proposal requires that third party users get their own power level, as described in MSC2212.
In addition to MSC2212, this proposal requires that a m.dm
field be added to the
m.room.third_party_invite
event. When the invite is claimed, the m.dm
field must
be copied to the generated membership event.
Earlier in this proposal it was mentioned that the existing direct chats module is replaced by this proposal, however it didn't exactly explain the scope. The existing module is optionally supported by servers (which requires very little effort on their part), however this proposal recommends that servers drop support completely per the deprecations below.
Deprecated things:
is_direct
on/createRoom
now does nothing (ignored field, like any other unrecognized field).is_direct
on membership events now means nothing (replaced bym.dm
).m.direct
account data is deprecated (replaced with the behaviour described in this proposal).
After sufficient time has passed, the deprecated components should be removed from the specification.
Disclaimer: This section might add clarity but might also be confusing. Sorry.
Simple case
The happy path of DMs.
- Alice starts a DM with Bob. Alice and Bob end up with a single room.
- Bob then starts a DM with Alice and gets redirected to the existing room by their client or server.
- Alice tries to start a new DM with Bob. Like Bob in the last step, Alice is redirected to the existing room.
- Bob then starts a DM with Alice and Charlie. A new room is created. Similar redirection semantics take place when the three parties attempt to duplicate the room.
Simple glare
The slightly less happy path of DMs: when servers collide.
- Alice and Bob reside on different homeservers.
- Alice starts a DM with Bob, who does not accept nor reject it.
- Bob starts a DM with Alice, who does not accept not reject it.
- Alice accepts Bob's invite. Alice's server realizes this is a duplicate room and sends
a tombstone to the room, pointing at the DM Alice created earlier.
- During this, Bob's server would have originally flagged the room as a DM for Bob and Alice, but the tombstone signals to Bob's homeserver that something is up and assumes that Bob has no DM with Alice (yet).
- Bob gets a tombstone in Alice's DM and realizes there's a pending invite. Bob accepts.
- Bob's homeserver sees that the room is a DM and flags it as the DM for Bob and Alice.
Alice and Bob's homeserver have come to the same conclusion. In the worst case, both servers could accept the invites at the same time and conflict with each other on the tombstone. The worst case for this is a split DAG on the tombstone with two tombstone state events, resolved through state resolution. Both servers would have still come to the same conclusion on which room to use so either of the tombstone events sent could be considered a no-op.
De-duplication during migration / tombstone tree
- Alice has 3 existing DMs with Bob, who resides in both rooms.
- The server updates (Alice and Bob happen to be on the same server in this example, however the scenario works cross-server too).
- The server realizes that Alice and Bob share multiple DMs and pick the oldest DM. The server tombstones the other 2 rooms.
- Alice and Bob now have exactly one DM with each other.
The room map looks a bit complicated now, but there's a tree of rooms where two point to
a single room. Clients aren't exactly expected to represent this nicely but can try if they
want to. There will be no predecessor
for them to work off of.
If the canonical DM room was then upgraded or otherwise tombstoned itself, the tree starts to become more linear.
Tombstone tree with glare
Following the example of a "tombstone tree" then creating a conflicting room with glare the servers should resolve to use the canonical room identified by the tombstone tree. The conflicting room should be tombstoned to point at the canonical room.
Change in power levels, join rules, or membership
If the power levels or join rules change then the server needs to re-evaluate the room. If the room ends up being no longer a DM, the server must flag it as such to the relevant clients and not send a tombstone into the room. The parties are considered to not have a DM.
If the membership changes such that someone ends up leaving the room (on their own or through a kick/ban) then the DM is no longer considered a DM, similar to the paragraph above.
If the room starts to look like a DM again (members rejoin, join rules become acceptable again, etc) then the conflict resolution algorithm might take place depending on the user's DMs.
Malicious takeover of a DM
- Alice and Bob are on different homeservers, but don't have to be for this scenario.
- Alice starts a DM with Bob. Bob accepts.
- Bob's homeserver sends a tombstone into the DM to point it at Matrix HQ.
- Both Alice and Bob no longer have a viable DM: both homeservers do not consider Matrix HQ as the replacement room, and do not treat the tombstoned room as a DM.
Ultimtely this is a wasted effort: both homeservers would start a new DM after the room was directed at HQ.
The cases covered by leaving DMs above
This proposal covers a few cases that servers are supposed to consider when a user (or many users) leaves a room. Please reference that section for more detail.
This is really complicated for servers to implement. The alternative is that the client does all the work (see below in 'Alternative solutions') however this is deemed unreasonable by the author and early reviewers of the proposal.
This allows for bots and personal assistants to be residents of a room. There is an argument for restricting DMs to just important users (excluding any chance of unimportant users), namely to ensure that security is not sacrificed through leaky bots/assistants. The author believes there is a stronger argument for assistant-style/audit bots in a DM, such as a reminder bot or Giphy bot. The rationale being that although bots pose a security risk to the conversation, the rooms are supposed to have a history visibility setting which prevents the history from being exposed to the new parties. Important parties additionally should have the power to remove the new user account from the room if they don't agree.
This proposal enables encryption by default for DMs. Encryption in the specification is moderately incomplete as of writing, making the move to enable encryption by default somewhat questionable. For instance, a large number of bots and bridges in the ecosystem do not currently support encryption and generally fall silent in encrypted rooms. Bots in today's ecosystem can use Pantalaimon or add dedicated support if they so choose, however bridges are still unable to decrypt messages even with Pantalaimon. Bridges being able to support encryption (they'll need EDUs and a device ID) is a problem for a different MSC, and likely a different spec version. In the meantime, this proposal specifically does not prohibit DMs which are unencrypted and bridges can start DMs as such, or refuse to participate in DMs which are encrypted. Generally speaking, bridges in the current ecosystem start the DMs with users instead of the users contacting the bridge, however there are some prominent examples of this being reversed (IRC, most puppet bridges, etc). Clients can combat this by identifying bridge namespaces (also a future spec problem) and offering users the option to not encrypt the room, or by just having that checkbox always present. Ideally, this proposal and cross-signing, better encryption for bridges, etc all land concurrently in the next specification version.
This proposal is vague about which encryption algorithm to support. This is an intentional choice by the author to support the possibility of a given encryption algorithm being deemed unsuitable by Matrix in the future. For example, if a given algorithm was broken or found to have security flaws it would be difficult to update the specification if the preset had baked in a specific algorithm. Instead, the proposal asks the specification to make a recommendation and for servers to think critically of the available algorithms (of which only one is actually available at the moment) to make the best decision for their users.
The sugar APIs are a bit awkward for the value they provide. Bridges are more commonly in need of direct chats and thin bots arguably can still sync their way through life. Bridges, and possibly clients, could receive changes to their DMs over a purpose-built room managed by the server. Similar to server notices, the server could maintain state events in a readonly immutable room for the user/client to sit in and receive updates. The author feels as though this is more complicated than it should be, requiring servers to maintain hundreds, thousands, or even millions of dedicated rooms for users which can easily overwhelm an appservice. For instance, the Freenode IRC bridge has millions of users which would equate to millions of rooms which all need to be synced down the appservice pipe which is already fairly congested.
Servers could be less involved and all this work could be done by the client. Although easier for servers, clients are more likely to run into conflicts between themselves. The most common type of conflicts for clients to have is updating account data at the same time, which happens a lot more often than it should. When there's conflicts in updating account data, there's a strong possibility that data is lost due to overwrites. Sure, the client could be told to use room tagging instead however a similar problem occurs when one client wants to add a tag and another wants to remove it. An earlier draft of this proposal did cover what a mostly client-side implementation of immutable DMs could look like: it can be found here.
Servers could be even more involved and require a whole new room version to change the event auth rules for DMs. The author strongly believes that this is far too complicated and way overkill for what Matrix needs/wants to achieve, despite having written an earlier draft of this proposal calling for exactly that. Many of the problems with this approach are described in that draft, found here.
There is also an argument that the existing solution is fine and clients should just make it work for their purposes. The author believes this is an invalid argument given the introduction of this proposal and the problems highlighted regarding client-driven DMs.
Some clients are investigating the usage of immutable DMs for security and privacy related
functionality of their design. For example, client designers are looking into handling key
verification and cross-signing within the immutable DM (if such a concept existed) rather than
in a floating dialog. To accomplish this in a safe and secure way it may be desirable to have
high levels of enforcement regarding immutable DMs. This may increase the user's comfort in
knowing that none of the users in the room can manipulate it. Clients which need this level of
confidence may wish to ignore insecure DMs and attempt to start new ones by upgrading the
existing DM through a predefined preset
(ideally acquiring permission first).
There is a theoretical scenario where a homeserver or user could maliciously prevent a user from opening a new DM with them. This is considered a feature given modules like ignoring users exists, however a homeserver/user could continously set up a scenario where an existing DM becomes unjoinable while sending tombstones for all new DM rooms which point to the unjoinable room. This has a largely social impact on the room that technology cannot resolve (if people are going to be mean, they're going to be mean). Attempts to alter the DM such that the user cannot join without being notified are possible (changing the rejoin rules) however in those cases both homeservers should be considering the room as no longer a DM, unless of course the homeserver was being the malicious actor. Because of how tombstones currently work in Matrix, users would have to perform an action to try and join the new DM and eventually the user may get frustrated with the other user and ignore them, breaking the cycle of new DMs being created.
The existing DM system in Matrix support multiple DMs with a user, however that system is not necsarily more complex than this proposal (in fact, it's probably simpler than what is proposed here). The existing system has the disadvantage of being non-deterministic where two users in the same room can have a different view of that room in their clients: Alice can see it as a DM whereas Bob sees it as just another room. Having non-deterministic DMs can lead to conversational confusion ("hey Bob, let's go to our DM" and Bob asking where that is) or uncertainty about where to send sensitive information.
Using the example of clients wanting to use DMs as a channel for exchanging key information, knowing that all parties in the conversation perceive it as a DM is important. If the verification were to land in a random room, the other party may miss it or be concerned it is not a real verification request.
Further, the existing system is managed completely client-side and every client is expected to clone the same logic. By pushing the DM calculations to the server, all the client has to do is render them. Most messenger Matrix clients want or have a concept of DMs, and instead of duplicating the same code over and over the server could just inform the client of its DMs.
Immutable DMs are a hard problem to solve and involve a bunch of tiny changes to multiple parts of the specification. Of all the iterations of this proposal, this proposal is targeted at being a safe balance of client complexity and user safety, sacrificing the server's complexity in favour of predictable results. Most clients are interested in implementing DMs in some capacity, and this proposal helps make it less painful and more reliable for them. Users should feel safer to use DMs with this proposal given the enabled encryption and permissions models imposed on the room.