If a server specifies multiple active verify keys, which one(s) are required to sign an object?

[turt2live]

Link to problem area:

• https://spec.matrix.org/v1.6/server-server-api/#get_matrixkeyv2server
• https://spec.matrix.org/v1.6/appendices/#signing-details
• etc

Issue Nowhere do we actually say which of the server's keys have to sign a given message, though the general case is that a server has exactly 1 active (not-old) key in play.

[richvdh]

Yes, it's never made explicit, but for the record: it is sufficient for an object to be signed by any one active key.

Additionally: neither https://spec.matrix.org/v1.6/server-server-api/#request-authentication nor https://spec.matrix.org/v1.6/server-server-api/#validating-hashes-and-signatures-on-received-events say anything about validity. Again for the record, the expectation is that:

• the time when a S-S API request was received, or
• the origin_server_ts on an event

... must lie within the validity period of the key used for the signature.