Element X: Return an error when sharing a room key to a verified user, who has an unverified device

[richvdh]

Part of element-hq/element-meta#2488, and a follow-up to #1129.

We need to prevent people who have explicitly verified someone accidentally sending messages. OlmMachine::share_room_key should check whether any of the target users have previously been verified; if so, and those users have unverified devices, share_room_key should return an error code.

We should ensure the error code is propagated up through the ui crate.

This behaviour needs to be optional, so should be configured via EncryptionSettings (could be the same setting as #3793)

[BillCarsonFr]

As discussed an alternative to that would be to simply ignore unsigned devices of verified users (and send a m.unverified withheld code so they know why)?
PRO: Less disruptive than fail to send.
CON: Will silently break communication, without the sender beeing aware of it. Notice that If the recipient properly supports withheld codes he would be able to spot the problem and verify the device.

@pmaier1 any preference?

[pmaier1]

I generally like it and think it's better than failing to send. Still, might be very disruptive. But if there's no way to understand why some devices get the message and some don't, then this is not gonna fly. Also, if there's no way to understand for the user on the unverified device, this is a problem and won't work. we need to wait for the full switch to Invisible Crypto then.

If there's no simple solution to this challenge, we have to warn when sending to unverified devices of a verified user, I'm afraid.

[richvdh]

See element-hq/element-meta#2488 (comment) for designs

[pixlwave]

For my reference:

For unverified device: In order to send anyhow, you have to blacklist or whitelist the device using Device::set_local_trust (you have all the problematic devices listed in the error) then just resend⁦