'Request authentication' section needs clarification

[richvdh]

https://matrix.org/docs/spec/server_server/r0.1.1.html#request-authentication says that requests are 'authenticated using public key digital signatures', but does not say how the receiving server should get the key.

In short: it should obtain the key from the calling server via the /_matrix/key/v2/server endpoint. Once the valid_until_ts expires, it must re-check the key before accepting further requests.

[richvdh]

I've just spotted that https://matrix.org/docs/spec/appendices.html#checking-for-a-signature says:

Looks up verification keys for the remaining signing key identifiers either from a local cache or by consulting a trusted key server. If it cannot find a verification key then the check fails

The trouble with that (except for the fact that I forgot to look there) is that the rules for how you get a key depend on whether you are checking a federation request or an event.

In this case:

• There is no need to use a "trusted key server" in this case - rather we should go to the origin server, which we know must be online because it is sending us a request.
• The key must be valid as of "now".