We could cross-sign devices to aid trust when new ones join a room

[ara4n]

At the moment we risk drowning users in unverified device warnings as per #2143, which is stupid given we can give some level of confidence that a new device should be trusted if it has been somehow cross-signed by a device that you already trust yourself.

[remram44]

This is a good solution! It also opens the possibility for a "web of trust" in the future, where other user(s) you trust verifying people give you some trust transitively (like PGP; and definitely useful for bigger rooms).

[pierce403]

This opens up an attack where someone with temporary access to a phone or laptop could silently enroll a new malicious device, which isn't a huge tragedy, but should be considered.

I notice that my own devices in Riot aren't automatically verified, which is nice. Maybe when an old device sees that a new device has been enrolled, they should get a popup like

A new device "<devicename>" has been added to your account. [endorse][ignore][remove]

"Ignore" just does what today's default is. "remove" removes the key from the account, and "endorse" verifies the key for yourself, and emits a message to all the e2e rooms you're in that looks something like

<nick> (id) has endorsed "<new device>" with "<old device>"

Then, there could be an option, per user, called "Trust cross device endorsements", which is enabled by default, and if enabled, the endorsement message, and the warning message I propose in #2143, could silently disappear.

[remram44]

Requiring people to verify each device separately seems a bit unrealistic IMHO. And since other people will happily encrypt for that new device regardless of whether it is verified, some validation is better than none.

[andrewgdunn]

May consider signal's method of device linking from a UX standpoint.

[vext01]

I agree that this would be useful.

I have a friend with 2 devices, and I have 3. Each of our devices has to sign each other device, which is awkward and I also think a barrier to entry for non-technical users.

Thanks

[tessgadwa]

One very useful UX fix would be not giving people an option to encrypt a conversation if there are unverified devices present, rather than merely issuing a stern warning.

…

On Thu, Mar 9, 2017 at 3:17 PM, Edd Barrett ***@***.***> wrote: I agree that this would be useful. I have a friend with 2 devices, and I have 3. Each of our devices has to sign each other device, which is awkward and I also think a barrier to entry for non-technical users. Thanks — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2714 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGLNG4FQnYF14_klRo0eEEa8CgLU4w4Bks5rkIh6gaJpZM4LG4xT> .

-- Tess Gadwa Chief Executive Officer

_______________________________ Yes Exactly, Inc. | yesexactly.com | 413.325.8251

[erdii]

You can configure your Riot instance, to only send messages to trusted devices in the settings.

[schnuffle]

@erdii i used this option. Good from a security point of view but it adds even more confusion, when you start searching for the reason, why no more messages are send.
I don't know exactly anymore, but i had riot on one device telling me there're unverified devices, on another riot it just silently did not send the message.

I recently added some non geek friends to my HS and the first lesson has been:

"access your account from one device only or you'll get negative feedback".

Sooner or later they will complain about missing mesages. So they all even don't know there's a web client :)
They get the idea of having to trust once to be sure about the others identity, anything on top of that and you loose them.
On the other side, they understood the concept of having to trust each new device they access their account with. So it seems, moving the trust modell to a concept of "user adds trust to his devices" is better understood by non it people.
I see a possible attack vector, so it's not that i think it's better, just that it's better percieved by my community of non technical people.

[erdii]

I think signal and keybase have some kind of key-tree magic going on, so the other users only trust one pubkey and you can have multiple device keys behind that pubkey. Something like this would be great IMO because it would shift the device-trust hustle to the user owning the devices.

[ara4n]

the problem is that sometimes you /do/ want to trust/distrust specific devices - hence the idea of cross-signing rather than having a formal hierarchy. But all options are still on the table here :)

[erdii]

Is the requirement to be able to distrust other user's devices or is it enough to be able to distrust one of your own devices and your chatpartners stop encrypting for that device too?