E2E impl guide: check ids in device query
Update the E2E impl guide to note that the user_id and device_id returned from a device query need to be checked.
This commit is contained in:
Richard van der Hoff
parent
4c008a4771
commit
157e51fbc9
1 changed files with 7 additions and 1 deletions
|
|
@ -399,13 +399,19 @@ and the corresponding signature for the ``signature`` parameter. If the
|
|||
signature check fails, no further processing should be done on the
|
||||
device.
|
||||
|
||||
The client should check if the ``user_id``/``device_ie`` correspond to a device
|
||||
The client must also check that the ``user_id`` and ``device_id`` fields in the
|
||||
object match those in the top-level map [#]_.
|
||||
|
||||
The client should check if the ``user_id``/``device_id`` correspond to a device
|
||||
it had seen previously. If it did, the client **must** check that the Ed25519
|
||||
key hasn't changed. Again, if it has changed, no further processing should be
|
||||
done on the device.
|
||||
|
||||
Otherwise the client stores the information about this device.
|
||||
|
||||
.. [#] This prevents a malicious or compromised homeserver replacing the keys
|
||||
for the device with those of another.
|
||||
|
||||
Sending an encrypted event
|
||||
--------------------------
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue