manual self-verification of a specific Riot/Web only gives emoji option, not QR

[ara4n]

if i try to verify Riot/Web from Riot/X's session management in settings, it only lets me try to verify it by emoji.

[BillCarsonFr]

You current session does not trust the MSK. Currently in this case the verify will launch a legacy start SAS

[BillCarsonFr]

We probably have an issue here. The manage session will display local trust:

It should propably not do that.. The current device should be red shield and the others blacks shields? And when you try to verify another session it should ask you first to complete security?

@nadonomy what do you think

Maybe we should show that: And for you to complete security on this session when you try to verify other sessions?

[BillCarsonFr]

The state of user profile is also probably a bit off

[nadonomy]

@nadonomy what do you think

Yeah I think this makes sense. So effectively if a user is using cross-signing, they sign into a new device and then skip verifying it on login and go to settings, we echo locally how other users see their pool of devices?

So this device would be untrusted (red) and once cross-signed would turn green, and the other devices would update from black to represent either their trusted (green) or untrusted (red) state?

[nadonomy]

@BillCarsonFr & I had a call on this to discuss in more detail, and we think it makes sense to:

In Settings

• Decorate your local session as red (as it's untrusted)
• Decorate the other other sessions as black
• Then, when tapping on your local session, we trigger bootstrapping
• And, when tapping on an unknown session, we have an extra [Complete Security] action to trigger bootstrapping

When viewing your own profile

• Decorate the same, where black devices are labelled as 'Unknown'