-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invisible Crypto | Share Room Keys: Update the Identity Based sharing strategy to use the tofu_trusted flag #3565
Comments
I don't understand this. What does "based on |
It's some new error variants that would be part of this matrix-rust-sdk/crates/matrix-sdk-crypto/src/error.rs Lines 32 to 72 in 8e8d793
It will be thrown by In the happy path for |
Thanks. I've updated the description. Can you confirm? |
@uhoreg will shepherd this one. |
See also #3793 which will update the sharing code to throw an error if the other user's identity was previously verified, and changes. |
Per recent discussions, we no longer want to throw an error on message send if a TOFU-trusted user rotates their identity. In short, if identity trust matters to you so much that you are worried about the race between sending a message and seeing an identity change notification, then you should have verified. |
In the recent discussions we said it was fine because we are going to show a warning notice to the user that the identity has changed. It's not that important if the warning notice is showned it a bit after the message is sent, what is important is that the warning is shown. What if we cannot ensure that the warning notice can be shown by the client? For example on mobile if the user do a quick reply/suggestion from the notification (that means sending without opening the app)? Or using the share sheet to share an image from another app. In these cases the client will not be able to show the notice as it doesn't control the UI. Are we confident that the next time the user opens the app that the warning notice will still be on screen (and not way back in history?) I am wondering if we might want a config option to throw on pin violation? |
We discussed this. The conclusion was that it was acceptable even if the warning was lost in backfill. The general point is: if you are paranoid, you should be verifying the other user. |
Part of https://github.com/element-hq/crypto-internal/issues/282 (Invisible Crypto).
#3563 added a new
IdentityBasedStrategy
room-key sharing strategy. #3564 added a "tofu" flag toReadOnlyUserIdentity
. We now need to updateshare_room_keys
to check the tofu flag.Add new cases to
OlmError
, to be returned byshare_room_keys
:Update 2024-08-08: we no longer want this behaviour.OlmError::UnconfirmedIdentityChange(Vec<OwnedUserId>)
if the user has not yet acknowledged an identity change for the recipient; and:OlmError::SendingFromUnverifiedDevice
if our current device has not yet been verified.The text was updated successfully, but these errors were encountered: