Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refine policy for identity change detection and notice #4099

Open
BillCarsonFr opened this issue Oct 9, 2024 · 0 comments
Open

Refine policy for identity change detection and notice #4099

BillCarsonFr opened this issue Oct 9, 2024 · 0 comments
Labels
encryption

Comments

@BillCarsonFr
Copy link
Member

BillCarsonFr commented Oct 9, 2024
edited
Loading

Context

Currently we detect 2 different things for identity changes ( for simplicity, consider here only OtherUserIdentity):

  • (Pinning Violation) The first time an identity is seen we remember the MSK and if the identity later change it will be a pinning violation
  • (Verification Requirement Violation) If an identity was previous verified is not anymore.

Also we do not have support for any sort of historical identities for user. If a user changed identities 20 times we don't keep track of that. We just have the current identity, and the last pinned one.

The data structure for Pin vs VerificationRequirement are a bit different.

Pinning

We remember the pinned_master_key (json structure of a mx cross-signing key).
After a keys/query with new cross signing keys, the cross-signing keys are updated but the pinned_master_key is untouched.
That's how we detect the violation.
The violation can be resolved by pinning the current msk and replacing the old pinned_master_key with it.

Verification

We keep a cached flag if an identity was verified once (set to true the first time we it verified).
The fact that is currently verified is stored via the signatures (it is verified if own identity is verified and the other msk is signed by the own usk).

There is a verification requirement violation if the identity was previously verified (cached flag) and it is not anymore.
The violation can be resolved by clearing the cached flag (withdraw verification requirement), or by re-verifying the other user.

Pinning & Verification Violations

Pinning and Verification are "~Orthogonal" concepts. For example if Bob verified identity is replaced by a new verified identity, there will be a Pin Violation, but not a Verification Violation.

When to show identity changes to user?

image

Currently we rely on the identity_needs_user_approval method.

Initially this method was also supposed to be used when sharing room keys in order to fail to distribute keys if a user approval was needed.
But we decided against that, in order to not make TOFU identity changes blocking. Considering that showing the change notice is engough, it doesn't matter if it is a bit after it occurred.

Based on that, that means that in the following scenarios we won't show identity change notice in this cases:

  1. Bob identity changes from a verified identity to a new verified identity.
  2. Bob identity changes from a TOFU trusted identity to a new verified identity.
  3. Bob identity changes from a verified identity to a past identity that was verified (~replay)

=> We probably always want to show the identity change notice even if the new identity is verified.

Also, we need to see what to do regarging pinning when the verification requirement is withdrawn, e.g. probably want to pin the new identity?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
encryption
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BillCarsonFr