Skip to content

MSC1544: Key verification using QR codes #1544

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 26 commits into from
Nov 25, 2020
Merged
Changes from 1 commit
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
3aba9b1
initial dump of proposal
uhoreg Aug 20, 2018
3734471
mention option of having the QR code be a URL
uhoreg Aug 20, 2018
acd9a5d
add note about Bob mashing the "Verify" button prematurely
uhoreg Aug 20, 2018
95280d8
switch QR code to URL, add introductory text, add clarifications, reo…
uhoreg Sep 5, 2018
517754b
use common key verification message types as per MSC1717
uhoreg Jan 8, 2019
ba39779
add a conclusion
uhoreg Jan 8, 2019
3b0073a
allow for multiple keys to be verified, for cross-signing
uhoreg Jan 8, 2019
38689a8
add information about interacting with key requests and define cancel…
uhoreg Jan 8, 2019
10b6fd6
add more crypto magic, clarify things, add examples
uhoreg Sep 18, 2019
332b560
simplify protocol by embedding Alice's key in Bob's QR code
uhoreg Sep 19, 2019
4f83bd3
Update proposals/1543-qr_code_key_verification.md
uhoreg Jan 22, 2020
379bb79
Update proposals/1543-qr_code_key_verification.md
uhoreg Jan 22, 2020
a8c7fda
add some clarifications
uhoreg Jan 24, 2020
be9c37e
more clarifications, add comparison with SAS
uhoreg Jan 27, 2020
0b4411e
more words
uhoreg Jan 28, 2020
fcfd5d9
add examples for self-verification
uhoreg Jan 29, 2020
21ddf85
make other_user_key optional for one flow of self-verification
uhoreg Jan 29, 2020
7f93084
request can be transaction_id
uhoreg Jan 30, 2020
78b8133
use binary encoding of keys to reduce size of QR code
uhoreg Feb 6, 2020
405ac1e
add base32 option
uhoreg Feb 19, 2020
c77d04c
add base64 option
uhoreg Feb 19, 2020
ea0abe9
remove incorrect stuff
uhoreg Feb 19, 2020
a7279d9
Update proposals/1543-qr_code_key_verification.md
uhoreg Feb 27, 2020
7b3c98c
we're using the binary format
uhoreg Oct 17, 2020
0b97ac5
event IDs use $
uhoreg Nov 19, 2020
9db8cc9
Update proposals/1543-qr_code_key_verification.md
uhoreg Nov 21, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions proposals/1543-qr_code_key_verification.md
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,21 @@ Step 4 is to ensure that Bob does not present a QR code claiming to be Carol's
key. Without this check, Bob will be able to trick Alice into verifying a key
under his control, and evesdropping on Alice's communications with Carol.

The security of verifying Alice's key depends on Bob not hitting the "Verified"
button until after Alice's device indicates success. However, users have a
tendency to click on buttons without reading what the screen says. This might
be addressed by:

- allowing Bob to easily undo the verification if Alice's device subsequently
gives an error
- posing Bob a dummy question that he cannot answer until after Alice's device
displays the check results. For example: "Does Alice's device show a cat or
a dog?" Alice's device will show one or the other after it has checked the
key received from Bob, forcing Bob to wait for the check to complete.
(Whether a cat or a dog is displayed could be keyed to, for example, a bit in
the transaction ID.)
- (possibly other ways)

Other Issues
------------

Expand Down