There is no way to verify fingerprints in MUCs

[elimohl]

Valid arguments for 'lurch' in groupchats are 'enable', 'disable', 'uninstall', and 'help'.

[gkdr]

Currently, you can only enable OMEMO in MUCs with people that are in your contact list anyway (because the presence subscription is needed for PEP node access). So the thought was that you can confirm the session's fingerprints in the 1-on-1-chat window, as there is no "group session", just the sessions all of the users. I think it would not be practical to show the same message listing all of the session's fingerprints since it would be very long. Do you have a suggestion on how to solve this, or did you think there is a separate session for the MUCs? If so, do you think it should be explained somewhere?

[elimohl]

Actually, I did not think how it works much. I think it whould be nice if you explain a policy about MUC in the lurch help or at least in the README. Will MUCs' messages be send only to not blacklisted devices? Is there a chance that an adversary somehow hide his device from 1-on-1-chat and join to a MUC?

[splurched]

Like the compliance tester does?

https://github.com/iNPUTmice/ComplianceTester

https://github.com/iNPUTmice/ComplianceTester/blob/master/src/main/java/eu/siacs/compliance/tests/OMEMO.java#L12-L17

https://gultsch.de/compliance_ranked.html