wholetrans/docs-matrix-spec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

E2E impl guide: check ids in device query

Browse source 
Update the E2E impl guide to note that the user_id and device_id returned from
a device query need to be checked.
This commit is contained in:
Richard van der Hoff 2016-10-18 20:36:36 +01:00
parent 4c008a4771
commit 157e51fbc9
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
supporting-docs/guides/2016-10-18-e2e_implementation.rst
View file

@ -399,13 +399,19 @@ and the corresponding signature for the ``signature`` parameter. If the
signature check fails, no further processing should be done on the signature check fails, no further processing should be done on the
device. device.
The client should check if the ``user_id``/``device_ie`` correspond to a device The client must also check that the ``user_id`` and ``device_id`` fields in the
object match those in the top-level map [#]_.
The client should check if the ``user_id``/``device_id`` correspond to a device
it had seen previously. If it did, the client **must** check that the Ed25519 it had seen previously. If it did, the client **must** check that the Ed25519
key hasn't changed. Again, if it has changed, no further processing should be key hasn't changed. Again, if it has changed, no further processing should be
done on the device. done on the device.
Otherwise the client stores the information about this device. Otherwise the client stores the information about this device.
.. [#] This prevents a malicious or compromised homeserver replacing the keys
for the device with those of another.
Sending an encrypted event Sending an encrypted event
-------------------------- --------------------------