Clarify how to validate the received prekey messages

otrv4 / otrv4-prekey-server

The Prekey Server specification as needed for the OTRv4 specification. This is a mirror of https://bugs.otr.im/otrv4/otrv4-prekey-server

2 stars 0 forks source link

Clarify how to validate the received prekey messages #4

Closed juniorz closed 6 years ago

juniorz commented 6 years ago

Original message:

Clarify the checks that the client should do upon receipt of the prekey messages. This should be included on the section and not only linked to certain part of the OTRv4 spec, as the OTRv4-prekey spec is the one that specifically defines this. See: https://github.com/otrv4/otrv4-prekey-server/commit/17b0a3a6e5e84c664bf4c3efa5988b2fad8fccbc#diff-bf23ee0d88b81fe9b683335982d5f63eR559

juniorz commented 6 years ago

Clarify that some actions are based upon what an ideal prekey server should do, but this is not expected from every server there is. See: https://github.com/otrv4/otrv4-prekey-server/commit/17b0a3a6e5e84c664bf4c3efa5988b2fad8fccbc#diff-bf23ee0d88b81fe9b683335982d5f63eR559

juniorz commented 6 years ago

Regarding the previous message: this behavior is expected, but it just should not be trusted if a server's misbehavior seems to affect the security.

We expect a server to behave in certain conditions (store our prekey messages, give them to who ask, not give them to tho people, give them one prekey for each of our devices). Writing this in the spec won't hurt.

juniorz commented 6 years ago

I believe we have warned the user enough.