ereio
commented
3 years ago bad automation here
Open ereio opened 4 years ago
ereio
commented
3 years ago bad automation here
menturion
commented
2 years ago I am wondering why there isn't any app yet that implements all the logic for Key Verification / Cross-Signing in a separate app to authorize these requests for multiple accounts. Wouldn't it make sense to separate the logic of a chat app from the logic of an "authorization" app in this context.
0x1a8510f2
commented
2 years ago @menturion Cross-signing and verification in Matrix are used to ensure that each session and device are who they claim they are. This means that these processes have to happen for each device/session individually. You can have one app to initiate verification of your clients, but each client also has to support this in order to actually undergo the verification process/get verified. If clients support this, it only makes sense to also include the functionality to initiate verification, and if this functionality is included, there's not really a point having a separate app.
It wouldn't really make sense to have a separate verification app because you're verifying cryptographic keys which are already being used by the chat app. Making it separate would be both less secure and actually less convenient.
Either way, this is more of a spec issue than a Syphon issue.
menturion
commented
2 years ago @0x1a8510f2
Many thanks for your detailed reply and explanations!
Is it really less secure? This type of app (hereinafter referred to as ""authenticator") would be a valid device like any other device with the difference that it lacks all the chat features.
A user would have to log in to this "authenticator" app and be verified by another existing session/device. This type of app would cover scenarios where the user is primarily using a web client (e.g. Element Web) and only wants to install a lightweight app for verification purposes, rather than an additional full-fledged heavyweight chat app on top of the 6 other chat apps already installed on the phone.
Either way, this is more of a spec issue than a Syphon issue.
Right. I posted my comment here because I just read this feature request (in the Syphon repo).
notramo
commented
2 years ago You can have one app to initiate verification of your clients, but each client also has to support this in order to actually undergo the verification process/get verified.
No, it doesn't. The device key can be signed even after a manual text verification. Supporting SAS verification is a level up for UX, but cross-signing is not needed for it on the verified session, only for the session with the master key.
Having a "signer" app wouldn't make it less secure, but would bring a little bit of UX hassle. But in exchange for it, you could delete Element and still have cross-signing.
Will be very next feature after group E2EE