Closed hpk42 closed 6 years ago
some minor comments:
@hpk42 Your changes address the attack scenario i was describing.
I have two remarks that could be addressed now or after a merge.
Sorry for nitpicking. Trying to make sure we specify precisely so implementers have good advice. And if the provider is the attacker we have a pretty powerful attacker in that it can observe our access to the mailbox and alter it.
i think the "locked autocrypt key" is an independent issue IMHO. As soon as the AC key changes you are out of the group -- but other (non-secure-verified) chats remain operable under normal autocrypt semantics.
@hpk42 - I was thinking about the situation where i see a new autocrypt key for someone whom i am also sharing a group with.
Autocrypt so far uses the last key seen. I'm fine with locking the keys only for the group - so people who have new keys but performed no oob cannot read the group mails anymore. That kind of makes sense. But I have not seen this spelled out in a way i would be confident it gets implemented correctly.
Basically what each client needs to do per group is keep a list of (recipient address, key fingerprint) pairs. This list gets updated through the notifications about new or removed keys to the entire group.
new section which talks about active attack mitigation through introducing new UI flows and messages