Eventually Consistent Access Control: Practical Insights on Matrix from Decentralized Systems Theory (matrix-conf-2025)

Access control is the core of any system's security, but usually provided by a single, centralized server. However, access control in a Matrix room is decentralized: every participating server *independently* decides *who* is authorized to send and receive *which* events, without consulting any other server. To the surprise of many, these decisions are still *eventually* consistent even if all but one server is malicious, but seeing *why* requires a new way of thinking about access control. I will explain the necessary design patterns from decentralized systems science, and show how they can be weaved together for a practical explanation of what Matrix is, and why Matrix can reach its astonishing levels of security and resilience. In this talk, I provide a primer on **design patterns from decentralized systems theory**, and explain what they mean for the current and future design of Matrix in practice. I will start with **concurrency as the root of all problems in decentralized systems**, and how network partitions and arbitrarily malicious servers stand in the way of consistency. Based on these problems, I will explain **conflict-free replicated data types** (CRDTs) and hash linking as the solution to still make a Matrix room eventually converge at all benevolent servers. Finally, I will show you my **access control to the best of knowledge and belief** way of thinking about eventually consistent access control in Matrix – you need to think in **two authorization decisions per event**, of which one is final on receiving the event, while the other one may ever be changing on receiving new concurrent events. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.2025.matrix.org/matrix-conf-2025/talk/X3KDAQ/