|
| 1 | +# Key verification flow additions: `m.key.verification.ready` and `m.key.verification.done` |
| 2 | + |
| 3 | +The current key verification framework is asymmetrical in that the user who |
| 4 | +requests the verification is unable to select the key verification method. |
| 5 | +This makes it harder for more experienced users who wish to guide less |
| 6 | +experienced users through the verification process, especially if they are not |
| 7 | +verifying in-person, but are using a trusted but remote channel of verification |
| 8 | +(such as telephone or video conference). |
| 9 | + |
| 10 | +As an example, let us say that Alice is an experienced Matrix user and is |
| 11 | +introducing Bob to the wonders of federated communications. Alice wants to |
| 12 | +verify keys with Bob, so she clicks on the "Verify" button in her client on |
| 13 | +Bob's profile (which sends a `m.key.verification.request` message to Bob). |
| 14 | +Bob's device receives the verification request and prompts Bob to accept the |
| 15 | +verification request. At this point, under the current framework, Bob is |
| 16 | +responsible for choosing the verification method to use. However, with this |
| 17 | +proposal, Bob would be able to just accept the verification request without |
| 18 | +choosing a method, and allow Alice to choose the verification method. |
| 19 | + |
| 20 | +In addition, the current key verification framework does not have a method for |
| 21 | +clients to signal to the other side that a key verification was successful. |
| 22 | +Some clients may wish to wait until the other side has either confirmed a |
| 23 | +successful verification or indicated an error before displaying the result of |
| 24 | +the verification, in order to give the two users a consistent view of the |
| 25 | +verification as a whole. |
| 26 | + |
| 27 | +## Proposal |
| 28 | + |
| 29 | +Two new event types are added to the [key verification |
| 30 | +framework](https://matrix.org/docs/spec/client_server/r0.6.1#key-verification-framework) |
| 31 | +when verifying in to-device messages. The new event |
| 32 | +types are already described in [MSC2241 (Key verification in |
| 33 | +DMs)](https://github.com/matrix-org/matrix-doc/pull/2241). This proposal adds |
| 34 | +them to verifications in to-device messages. |
| 35 | + |
| 36 | +The first event type is `m.key.verification.ready`, which must be sent by the |
| 37 | +target of the `m.key.verification.request` message, upon receipt of the |
| 38 | +`m.key.verification.request` event. It has the fields: |
| 39 | + |
| 40 | +- `from_device`: the ID of the device that sent the `m.key.verification.ready` |
| 41 | + message |
| 42 | +- `methods`: an array of verification methods that the device supports |
| 43 | + |
| 44 | +It also has the usual `transaction_id` or `m.relates_to` fields for key |
| 45 | +verification events, depending on whether it is sent as a to-device event |
| 46 | +or an in-room event. |
| 47 | + |
| 48 | +After the `m.key.verification.ready` event is sent, either party can send an |
| 49 | +`m.key.verification.start` event to begin the verification. If both parties |
| 50 | +send an `m.key.verification.start` event, and they both specify the same |
| 51 | +verification method, then the event sent by the user whose user ID is the |
| 52 | +lexicographically smallest is used, and the other `m.key.verification.start` event is ignored. |
| 53 | +In the case of a single user verifying two of their devices, the device ID is |
| 54 | +compared instead. If both parties send an `m.key.verification.start` event, |
| 55 | +but they specify different verification methods, the verification should be |
| 56 | +cancelled with a `code` of `m.unexpected_message`. |
| 57 | + |
| 58 | +With to-device messages, previously the sender of the |
| 59 | +`m.key.verification.request` message would send an `m.key.verification.cancel` |
| 60 | +message to the recipient's other devices when it received an |
| 61 | +`m.key.verification.start` event. With this new event, the sender of the |
| 62 | +`m.key.verification.request` message should send an `m.key.verification.cancel` |
| 63 | +message when it receives an `m.key.verification.ready` or |
| 64 | +`m.key.verification.start` message, whichever comes first. |
| 65 | + |
| 66 | +The `m.key.verification.ready` event is required for verifications in both DMs |
| 67 | +and in to-device messages to accept verifications requested using an |
| 68 | +`m.key.verification.request` event. |
| 69 | + |
| 70 | +The second event type is `m.key.verification.done`, which has no fields other |
| 71 | +than the usual `transaction_id` or `m.relates_to` field. This indicates that |
| 72 | +the device has successfully completed its side of the verification. |
| 73 | + |
| 74 | +## Potential issues |
| 75 | + |
| 76 | +Clients that follow the Client-Server 0.6.0 spec may not expect an |
| 77 | +`m.key.verification.ready` message in response to `m.key.verification.request`. |
| 78 | +However to our knowledge, no clients implement `m.key.verification.request` in |
| 79 | +this way yet -- to our knowledge, all clients that implement verification |
| 80 | +implement this proposal. |
0 commit comments