9e45037129
* Remove keyId from the server keys endpoints It has been deprecated forever. Besides, the OpenAPI 3 spec doesn't allow optional path parameters. Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr> * Add newsfragment Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr> * Fix broken link Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr> * Mention MSC3938 in newfragment Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr> Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
848 B
848 B
When validating event signatures, servers MUST enforce the
valid_until_ts property from a key request is at least as large as the
origin_server_ts for the event being validated. Servers missing a copy
of the signing key MUST try to obtain one via the GET
/_matrix/key/v2/server
or POST
/_matrix/key/v2/query
APIs. When using the /query endpoint, servers MUST set the
minimum_valid_until_ts property to prompt the notary server to attempt
to refresh the key if appropriate.
Servers MUST use the lesser of valid_until_ts and 7 days into the
future when determining if a key is valid. This is to avoid a situation
where an attacker publishes a key which is valid for a significant
amount of time without a way for the homeserver owner to revoke it.