From 8cba7adcdf47ed69ece187f472d3237e532dae32 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Wed, 5 Jun 2019 13:52:02 +0100 Subject: [PATCH] Clarify conditions for attack --- proposals/2078-homeserver-password-resets.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/proposals/2078-homeserver-password-resets.md b/proposals/2078-homeserver-password-resets.md index e64c8651..0d2207b0 100644 --- a/proposals/2078-homeserver-password-resets.md +++ b/proposals/2078-homeserver-password-resets.md @@ -5,8 +5,9 @@ send password reset tokens, and allows homeservers to implement the functionality instead. The intention is to put less trust in the identity server which is currently one of the most centralised components of Matrix. As it stands, an attacker in control of a identity server can reset a user's -password if that user has registered a third-party identifier (3PID) with that -identity server, due to itself also handling the job of confirming the user's +password if the identity server is considered trusted by that homeserver, and +the user has registered at least one third-party identifier (3PID). This is due +to the identity server currently handling the job of confirming the user's control of that identity. The MSC aims to simply clarify that homeservers can take on the responisibility