Line length

proposals/3967-device-signing-upload-uia.md

@@ -1,26 +1,31 @@
 # MSC3967: Do not require UIA when first uploading cross signing keys
 
-When a user first sets up end-to-end encryption cross-signing, their client uploads their cross-signing keys to the server.
+When a user first sets up end-to-end encryption cross-signing, their client
+uploads their cross-signing keys to the server.
 
 This [upload operation](https://spec.matrix.org/v1.6/client-server-api/#post_matrixclientv3keysdevice_signingupload)
-requires a higher level of security by applying User-Interactive Auth (UIA) to the endpoint.
+requires a higher level of security by applying User-Interactive Auth (UIA) to
+the endpoint.
 
-This creates a usability issue at the point of user registration where a client will typically want to immediately set
-up cross-signing for a new user.
+This creates a usability issue at the point of user registration where a client
+will typically want to immediately set up cross-signing for a new user.
 
-The issue is that the client will immediately need the user to re-authenticate even though the user just authenticated.
+The issue is that the client will immediately need the user to re-authenticate
+even though the user just authenticated.
 
-This usability issue has given rise to workarounds such as a 
+This usability issue has given rise to workarounds such as a
 [configurable grace period](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#ui_auth)
-(`ui_auth`.`session_timeout`) in Synapse whereby UIA will not be required for uploading cross-signing keys where
-authentication has taken place recently.
+(`ui_auth`.`session_timeout`) in Synapse whereby UIA will not be required for
+uploading cross-signing keys where authentication has taken place recently.
 
-This proposal aims to provide for a standard way to address this UIA usability issue with respect to setting up cross-signing.
+This proposal aims to provide for a standard way to address this UIA usability
+issue with respect to setting up cross-signing.
 
 ## Proposal
 
-For the `POST /_matrix/client/v3/keys/device_signing/upload` endpoint the Homeserver should only require User-Interactive
-Authentication (UIA) if the user already has an existing cross-signing master key uploaded to the Homeserver.
+For the `POST /_matrix/client/v3/keys/device_signing/upload` endpoint the
+Homeserver should only require User-Interactive Authentication (UIA) if the user
+already has an existing cross-signing master key uploaded to the Homeserver.
 
 ## Potential issues
 
@@ -29,16 +34,19 @@ See security considerations below.
 
 ## Alternatives
 
-There has been some discussion around how to improve the usability of cross-signing more generally. It may be that an
-alternative solution is to provide a way to set up cross-signing in a single request.
+There has been some discussion around how to improve the usability of
+cross-signing more generally. It may be that an alternative solution is to
+provide a way to set up cross-signing in a single request.
 
 ## Security considerations
 
-This change could be viewed as a degradation of security at the point of setting up cross-signing in that it requires
-less authentication to upload cross-signing keys on first use.
+This change could be viewed as a degradation of security at the point of setting
+up cross-signing in that it requires less authentication to upload cross-signing
+keys on first use.
 
-However, this degradation needs to be weighed against the typical real world situation where a Homeserver will be
-applying a grace period and so allow a malicious actor to bypass UIA for a period of time after each authentication.
+However, this degradation needs to be weighed against the typical real world
+situation where a Homeserver will be applying a grace period and so allow a
+malicious actor to bypass UIA for a period of time after each authentication.
 
 ## Unstable prefix