'Web of trust' for automatically trusting certain keys without human verification?

[andswitch]

Hi,

Matrix is awesome, but the manual per-device key verification mechanism is a bit of a pita. Perhaps it is possible to make this mechanism a little bit more user-friendly by automatically trusting certain keys in case these keys have been verified already by a trusted party?

Especially in case a user A with a device X uses device X to verify that another device Y belongs to him/herself. Anybody who has verified that device X belongs to A could trust that device Y also belongs to A. This way, once you've verified one device from a user, you can trust all devices from that user as long as that user makes a little effort to verify those devices. Then, that user doesn't have to annoy other users with the need to verify the other devices.

[uhoreg]

see also element-hq/element-web#2714 and https://github.com/vector-im/riot-web/issues/3815

[erdii]

sounds a bit like keybase. where each user has a ledger of his device keys and uses already trusted devices to cross-sign new keys

[ShadowJonathan]

With the introduction of cross-signing in E2EE, could this issue be considered solved?

[uhoreg]

No, this issue seems to be more about a general web-of-trust mechanism, whereas cross-signing is specifically about same-user verification.

That said, this is more of a spec issue than a synapse issue, and we have https://github.com/matrix-org/matrix-doc/issues/1886 to track this on the spec side now (and element-hq/element-meta#662 as the user-visible feature issue), so this should probably be closed anyways.