From e9bac1b011957c87e3791b916b70755fbafa401e Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 4 Feb 2019 13:49:29 -0700 Subject: [PATCH 1/3] Remove wrong references to TLS fingerprints Also fix some styling in the server discovery section - this didn't feel like it needed its own commit. --- specification/server_server_api.rst | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/specification/server_server_api.rst b/specification/server_server_api.rst index 778a5819..d00ca135 100644 --- a/specification/server_server_api.rst +++ b/specification/server_server_api.rst @@ -157,14 +157,14 @@ The process overall is as follows: and a port of 8448, using a ``Host`` header of ````. The target server must present a valid certificate for ````. -4. If the `/.well-known` request resulted in an error response, a server +4. If the ``/.well-known`` request resulted in an error response, a server is found by resolving an SRV record for ``_matrix._tcp.``. This may result in a hostname (to be resolved using AAAA or A records) and port. Requests are made to the resolved IP address and port, using 8448 as a default port, with a ``Host`` header of ````. The target server must present a valid certificate for ````. -5. If the `/.well-known` request returned an error response, and the SRV +5. If the ``/.well-known`` request returned an error response, and the SRV record was not found, an IP address is resolved using AAAA and A records. Requests are made to the resolved IP address using port 8448 and a ``Host`` header containing the ````. The target server must present a @@ -220,12 +220,11 @@ server by querying other servers. Publishing Keys +++++++++++++++ -Homeservers publish the allowed TLS fingerprints and signing keys in a JSON +Homeservers publish their signing keys in a JSON object at ``/_matrix/key/v2/server/{key_id}``. The response contains a list of ``verify_keys`` that are valid for signing federation requests made by the homeserver and for signing events. It contains a list of ``old_verify_keys`` which -are only valid for signing events. Finally the response contains a list of TLS -certificate fingerprints to validate any connection made to the homeserver. +are only valid for signing events. {{keys_server_ss_http_api}} From 3dd0601a96be6f285753d72aa9fd212bb9ae3bc7 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 4 Feb 2019 13:52:20 -0700 Subject: [PATCH 2/3] Remove more TLS fingerprint talk --- api/server-server/keys_server.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api/server-server/keys_server.yaml b/api/server-server/keys_server.yaml index 8734f2ed..69985ab7 100644 --- a/api/server-server/keys_server.yaml +++ b/api/server-server/keys_server.yaml @@ -27,7 +27,7 @@ paths: get: summary: Get the homeserver's public key(s) description: |- - Gets the homeserver's published TLS fingerprints and signing keys. + Gets the homeserver's published signing keys. The homeserver may have any number of active keys and may have a number of old keys. @@ -49,7 +49,7 @@ paths: type: string description: |- **Deprecated**. Servers should not use this parameter and instead - opt to return all keys, not just the requested one. The key ID to + opt to return all keys, not just the requested one. The key ID to look up. required: false x-example: "ed25519:abc123" From f37a6d2ef554a4534ac6834e9c37fb5c1e008275 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 4 Feb 2019 14:00:34 -0700 Subject: [PATCH 3/3] Changelog --- changelogs/server_server/newsfragments/1844.clarification | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelogs/server_server/newsfragments/1844.clarification diff --git a/changelogs/server_server/newsfragments/1844.clarification b/changelogs/server_server/newsfragments/1844.clarification new file mode 100644 index 00000000..f80eef51 --- /dev/null +++ b/changelogs/server_server/newsfragments/1844.clarification @@ -0,0 +1 @@ +Remove legacy references to TLS fingerprints.