From cf19f525767a9db9a982a966e47f11a983f4eab3 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 10 Jun 2019 13:21:24 -0600 Subject: [PATCH] Enforce 7 day validity requirement everywhere also misc formatting fixes --- api/server-server/definitions/keys.yaml | 2 +- specification/rooms/v5.rst | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/api/server-server/definitions/keys.yaml b/api/server-server/definitions/keys.yaml index c48c320a7..8bc6c563c 100644 --- a/api/server-server/definitions/keys.yaml +++ b/api/server-server/definitions/keys.yaml @@ -98,7 +98,7 @@ properties: be ignored in room versions 1, 2, 3, and 4. Keys used beyond this timestamp MUST be considered invalid, depending on the `room version specification`_. - Servers SHOULD use the lesser of this field and 7 days into the future when + Servers MUST use the lesser of this field and 7 days into the future when determining if a key is valid. This is to avoid a situation where an attacker publishes a key which is valid for a significant amount of time without a way for the homeserver owner to revoke it. diff --git a/specification/rooms/v5.rst b/specification/rooms/v5.rst index 9b9fad7e2..97ebf2fe4 100644 --- a/specification/rooms/v5.rst +++ b/specification/rooms/v5.rst @@ -15,8 +15,8 @@ Room Version 5 ============== -This room version builds on `version 4 `_, enforcing signing key validity -periods for events. +This room version builds on `version 4 `_ while enforcing signing +key validity periods for events. .. contents:: Table of Contents .. sectnum:: @@ -52,3 +52,8 @@ validated. Servers missing a copy of the signing key MUST try to obtain one via or `POST /_matrix/key/v2/query <../server_server/r0.1.1.html#post-matrix-key-v2-query>`_ APIs. When using the ``/query`` endpoint, servers MUST set the ``minimum_valid_until_ts`` property to prompt the notary server to attempt to refresh the key if appropriate. + +Servers MUST use the lesser of ``valid_until_ts`` and 7 days into the future when +determining if a key is valid. This is to avoid a situation where an attacker +publishes a key which is valid for a significant amount of time without a way for +the homeserver owner to revoke it.