Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify notary servers are no longer required to sign responses #1948

Open
f0x52 opened this issue Sep 12, 2024 · 1 comment
Open

Clarify notary servers are no longer required to sign responses #1948

f0x52 opened this issue Sep 12, 2024 · 1 comment
Labels
improvement An idea/future MSC for the spec

Comments

@f0x52
Copy link
Contributor

f0x52 commented Sep 12, 2024

Link to problem area: https://spec.matrix.org/v1.11/server-server-api/#querying-keys-through-another-server

Issue
As per discussion with the Matrix.org security team, notary responses are only signed for compatibility with very old versions of Synapse.
This is superfluous as the TLS connection already authenticates the response.
Notably, for backwards compatibility matrix.org still signs these responses with their old ed25519:auto key, even though it's marked as expired.

afaik, Conduit and Dendrite don't implement these key query routes at all
@f0x52 f0x52 added the spec-bug Something which is in the spec, but is wrong label Sep 12, 2024
@turt2live turt2live added improvement An idea/future MSC for the spec and removed spec-bug Something which is in the spec, but is wrong labels Sep 12, 2024
@turt2live
Copy link
Member

I think this would require an MSC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
improvement An idea/future MSC for the spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@turt2live @f0x52