i don't feel like writing all of this out so i will copy paste it all from a discord convo
this is not an inital release target so ignore this for now
however we can push that work onto homeserver owners
and have homeserver owners manually verify eachother
and clients among them will automatically cross-verify
so in order for any clients on your homeserver to talk without a stupid untrusted badge you have to get your homeserver manually verified by someone part of the main verified network
that should curb spam at least a little too
each homeserver will keep a list of homeservers that have verified it
and every homeserver will keep a list of servers it has verified
whenever a server comes in contact with a new homeserver
it will request this list
and look through the homeservers and see if it trusts any of those homeservers
if it does, it will ask those homeservers if they DO actually trust it
if it does, it will put it under the automatically trusted list and let it continue
so a brand new homeserver needs to be verified by an admin of at least one decently used homeserver or a homeserver 1 degree of separation away
which would still be thousands of homeservers available for manual verification
and would curb spam a little because guild owners could choose to block unverified homeservers if they are having spam issues
this makes it hard to just spin up brand new homeservers in an instant and makes blocking malicious homeservers actually meaningful
there, that's how i will do client verification without e2e
trust the human
this however assumes admins of major homeservers don't go rogue
but even in matrix nothing is stopping the admin of a major homeserver deleting the database and shutting down the homeserver with no notice
so a rogue homeserver owner does damage regardless
but this stops impersonation
at least a little
and the user sees none of this because this is on the shoulders of admins
the only time a user would see it is in channel settings you can make users of unverified homeservers muted
or an unverified badge next to a user or homeserver name
i don't feel like writing all of this out so i will copy paste it all from a discord convo this is not an inital release target so ignore this for now
however we can push that work onto homeserver owners and have homeserver owners manually verify eachother and clients among them will automatically cross-verify so in order for any clients on your homeserver to talk without a stupid untrusted badge you have to get your homeserver manually verified by someone part of the main verified network that should curb spam at least a little too each homeserver will keep a list of homeservers that have verified it and every homeserver will keep a list of servers it has verified whenever a server comes in contact with a new homeserver it will request this list and look through the homeservers and see if it trusts any of those homeservers if it does, it will ask those homeservers if they DO actually trust it if it does, it will put it under the automatically trusted list and let it continue so a brand new homeserver needs to be verified by an admin of at least one decently used homeserver or a homeserver 1 degree of separation away which would still be thousands of homeservers available for manual verification and would curb spam a little because guild owners could choose to block unverified homeservers if they are having spam issues this makes it hard to just spin up brand new homeservers in an instant and makes blocking malicious homeservers actually meaningful there, that's how i will do client verification without e2e trust the human this however assumes admins of major homeservers don't go rogue but even in matrix nothing is stopping the admin of a major homeserver deleting the database and shutting down the homeserver with no notice so a rogue homeserver owner does damage regardless but this stops impersonation at least a little and the user sees none of this because this is on the shoulders of admins the only time a user would see it is in channel settings you can make users of unverified homeservers muted or an unverified badge next to a user or homeserver name