Closed andybalaam closed 3 days ago
Old description for reference:
Part of Invisible Crypto.
Currently when we store an Inbound group session, we associate some SessionCreatorInfo to it. Currently this info mainly contains the curve25519
identity key of the session creator.
We need now to add more info:
mxid
The associated mxid of the session creator (rooted in MSK authenticity).MSK
The msk signing (via SSK) this device at time of reception.MSK Trust Level
at time of reception (TOFU|Verified, see here)We are currently computing the "authenticity" of a megolm session but we are doing it at decryption time.
The info we get at decryption time are sender: OwnedUserId
and sender_device: OwnedDeviceId
.
Both related to a VerificationState
. This owner info is untrusted (claimed), unless the VerificationState is Trusted.
The VerificationState variants are:
We are basically trying to get this same info but at reception time.
When we receive a to-device message establishing a megolm session, we want to process it as quickly as possible, so there are 3 speeds:
(These ideas will be used by e.g. https://github.com/element-hq/crypto-internal/issues/308 - not really for this issue.)
In previous documents, we talked about "quarantine", but this is a difficult subject because different sessions will be acceptable to different clients at different times. We prefer to talk about what messages will be shown in what modes. These are some possible policies:
sender_data
is of type SenderKnown
, orlegacy_session
is true
sender_data
is of type SenderKnown
sender_data
is of type SenderKnown
, andmsk_verified
is true
If we import a session from backup or from an exported file, we mark it as legacy and let the background task handle it.
In order to complete this we need to do these tasks:
next_retry_time
so they get retried)In addition, as a separate story, we need to this:
[Moved from https://github.com/element-hq/crypto-internal/issues/310]
Part of Invisible Crypto.
Currently when we store an Inbound group session, we associate some SessionCreatorInfo to it. Currently this info mainly contains the
curve25519
identity key of the session creator.We need now to add more info:
user_id
- the associated mxid of the session creator (rooted in Master Signing Key authenticity).master_key
- the Master Signing Key signing (via the SSK) this device at time of reception.master_key_verified
- true if at time of reception the user was verified (see here)We are currently computing the "authenticity" of a megolm session but we are doing it at decryption time. The info we get at decryption time are
sender: OwnedUserId
andsender_device: OwnedDeviceId
. Both related to aVerificationState
. This owner info is untrusted (claimed), unless the VerificationState is Trusted.The VerificationState variants are:
We are basically trying to get this same info but at reception time.
Three places we populate SenderData in an InboundGroupSession
When we receive the room keys via a to-device message. (This is already done via SenderDataFinder.)
When we get new or updated device info from /keys/query. To do this we need to be able to look up InboundGroupSessions that don't have SenderData by device curve key. This will require a new index on the inboundgroupsessions table. Question: if there are lots of sessions for a particular device, will we break everything by working through batches of them to update them?
When we decrypt a message for a session. In this case we have the session and device already, so it's just a case of persisting (into inboundgroupsessions) the VerificationState that we already look up at this moment.
The plan
In order to complete this we need to do these tasks:
Old tasks that are no longer relevant (see old plan in a comment below):
https://github.com/matrix-org/matrix-rust-sdk/issues/3545https://github.com/matrix-org/matrix-rust-sdk/issues/3546https://github.com/matrix-org/matrix-rust-sdk/issues/3547 (essentially just adds anext_retry_time
so they get retried)Out of scope
[Moved from https://github.com/element-hq/crypto-internal/issues/310]