Implement MSC3061: Sharing room keys for past messages on Invite

[dkasak]

• Add Flag to disable/enable it in crypto config
• UX | Add an info text in the invite dialog stating that history will be shared
• Implement on other platforms.
  • Sharing room keys for past messages element-android#4153
  • Sharing room keys for past messages element-ios#4947
  • Implement MSC3061: Sharing room keys for past messages  matrix-org/matrix-rust-sdk#580
  • Share keys for historical messages when inviting users to encrypted rooms matrix-org/matrix-react-sdk#5763
• Enable share keys on Invite by default on Mobile #748
• Element-R: Historical room key sharing (key share on invite) element-web#26867

[BillCarsonFr]

SCOPE UPDATE

There are some scalability issues with sending the keys for the full history, as well as several edge cases. We don't want to fix all of them on existing SDKs (mobile, web).
The Rust SDK implementation should be complete.

So for existing SDKS the main goal is to give the new joiner the immediate context on the room to know why he was invited, so basically the recent histoty not full history.

[benparsons]

Do we think implementation of MSC3061 should include web? element-hq/element-web#22999 is a web UI task for room history key sharing that is currently biting a customer fairly badly. If we could include this task here it would be helpful.

[richvdh]

Do we think implementation of MSC3061 should include web? vector-im/element-web#22999 is a web UI task for room history key sharing that is currently biting a customer fairly badly. If we could include this task here it would be helpful.

I'm reasonably sure this is already implemented on web. AFAICT element-hq/element-web#22999 is just a bug, not a missing implementation.

EDIT 2024-06-13: this is no longer true, because the Rust crypto stack doesn't implement it; tracked at element-hq/element-web#26867

[thoraj]

We consider this feature important. Without it using Matrix for collaboration in a business setting is cumbersome.
E.g when:

• Bringing new team members to a project which is discussed in a room
• Have a co-worker cover your tasks when on vacation
• ++

What needs to happen to get this MSC moving again, so it can be merged, and find its way to clients and servers?

[jeudesprits]

I agree with what has been said above. We also chose Matrix but didn’t pay much attention to this issue at the beginning, and now we really need this feature. It would be great to hear some timelines, if possible.

[thoraj]

A guesstimate for when the security disclosure will be made would be nice. Depending on the potential attack vector the risks may be mitigated or accepted.

Without the disclosure we don't know.

[mpeter50]

I agree that this feature is very important, but @thoraj , did you intend your last comment to be sent here? If so, what kind of security disclosure do you mean? As I understand, a vulnerability was not a topic here.

[thoraj]

@mpeter50 Sorry for not providing context.

My reference to a disclosure is based on a comment made in #e2e:matrix.org today. Apparently the MSC is blocked awaiting a security disclosure and having the issue resolved.

[dkasak]

We're working on this now, so the disclosure should come in the next couple of weeks.

[thoraj]

@dkasak Any updates for this?

We are receiving complaints about this being flaky for our customer, and we are curious to know what the issue/disclosure is about, and how we can address this?

[dkasak]

Yes, sorry, I wanted to post an update but failed to find this particular issue.

The reason this was blocked was disclosed today in https://matrix.org/blog/2024/10/security-disclosure-matrix-js-sdk-and-matrix-react-sdk/ and the associated advisories. The plan forward is outlined in this section.