You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently we detect 2 different things for identity changes ( for simplicity, consider here only OtherUserIdentity):
(Pinning Violation) The first time an identity is seen we remember the MSK and if the identity later change it will be a pinning violation
(Verification Requirement Violation) If an identity was previous verified is not anymore.
Also we do not have support for any sort of historical identities for user. If a user changed identities 20 times we don't keep track of that. We just have the current identity, and the last pinned one.
The data structure for Pin vs VerificationRequirement are a bit different.
Pinning
We remember the pinned_master_key (json structure of a mx cross-signing key).
After a keys/query with new cross signing keys, the cross-signing keys are updated but the pinned_master_key is untouched.
That's how we detect the violation.
The violation can be resolved by pinning the current msk and replacing the old pinned_master_key with it.
Verification
We keep a cached flag if an identity was verified once (set to true the first time we it verified).
The fact that is currently verified is stored via the signatures (it is verified if own identity is verified and the other msk is signed by the own usk).
There is a verification requirement violation if the identity was previously verified (cached flag) and it is not anymore.
The violation can be resolved by clearing the cached flag (withdraw verification requirement), or by re-verifying the other user.
Pinning & Verification Violations
Pinning and Verification are "~Orthogonal" concepts. For example if Bob verified identity is replaced by a new verified identity, there will be a Pin Violation, but not a Verification Violation.
Initially this method was also supposed to be used when sharing room keys in order to fail to distribute keys if a user approval was needed. But we decided against that, in order to not make TOFU identity changes blocking. Considering that showing the change notice is engough, it doesn't matter if it is a bit after it occurred.
Based on that, that means that in the following scenarios we won't show identity change notice in this cases:
Bob identity changes from a verified identity to a new verified identity.
Bob identity changes from a TOFU trusted identity to a new verified identity.
Bob identity changes from a verified identity to a past identity that was verified (~replay)
=> We probably always want to show the identity change notice even if the new identity is verified.
Also, we need to see what to do regarging pinning when the verification requirement is withdrawn, e.g. probably want to pin the new identity?
The text was updated successfully, but these errors were encountered:
Context
Currently we detect 2 different things for identity changes ( for simplicity, consider here only OtherUserIdentity):
Also we do not have support for any sort of historical identities for user. If a user changed identities 20 times we don't keep track of that. We just have the current identity, and the last pinned one.
The data structure for Pin vs VerificationRequirement are a bit different.
Pinning
We remember the
pinned_master_key
(json structure of a mx cross-signing key).After a
keys/query
with new cross signing keys, the cross-signing keys are updated but thepinned_master_key
is untouched.That's how we detect the violation.
The violation can be resolved by pinning the current msk and replacing the old
pinned_master_key
with it.Verification
We keep a
cached flag
if an identity was verified once (set to true the first time we it verified).The fact that is currently verified is stored via the
signatures
(it is verified if own identity is verified and the other msk is signed by the own usk).There is a verification requirement violation if the identity was previously verified (cached flag) and it is not anymore.
The violation can be resolved by clearing the
cached flag
(withdraw verification requirement), or by re-verifying the other user.Pinning & Verification Violations
Pinning and Verification are "~Orthogonal" concepts. For example if Bob verified identity is replaced by a new verified identity, there will be a Pin Violation, but not a Verification Violation.
When to show identity changes to user?
Currently we rely on the
identity_needs_user_approval
method.Initially this method was also supposed to be used when sharing room keys in order to fail to distribute keys if a user approval was needed.
But we decided against that, in order to not make TOFU identity changes blocking. Considering that showing the change notice is engough, it doesn't matter if it is a bit after it occurred.
Based on that, that means that in the following scenarios we won't show identity change notice in this cases:
=> We probably always want to show the identity change notice even if the new identity is verified.
Also, we need to see what to do regarging pinning when the verification requirement is withdrawn, e.g. probably want to pin the new identity?
The text was updated successfully, but these errors were encountered: