You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
matrix-spec-proposals/proposals/2874-single-ssss.md

2.8 KiB

MSC2874: Single SSSS

Secure Secret Storage and Sharing (SSSS) was designed to allow the user to create multiple keys that would be able to decrypt different subsets of the secrets. However, the vast majority of users do not need this feature.

This proposal defines how clients should behave if they only wish to support a single key, by defining which key clients should use if multiple keys are present. It also makes the name field in the m.secret_storage.key.* events optional, as this field was mainly added to allow a user to select between different keys.

Proposal

If a client wants to present a simplified interface to users by not supporting multiple SSSS keys, then the client should use the default key (the key listed in the m.secret_storage.default_key account data event.) If there is no default key the client may behave as if there is no SSSS key at all. When such a client creates an SSSS key, it must mark that key as being the default key.

The name field in the m.secret_storage.key.* account data events is optional, rather than required. If a client wishes to display multiple keys to a user and a given key does not have a name field, the client may use a default name as the key's name, such as "Unnamed key", or "Default key" if the key is marked as default.

For example, when a client creates a key with ID abcdefg, it will create an m.secret_storage.key.abcdefg account data event to store information about the key. It will then mark it as the default key by setting the m.secret_storage.default_key account data to {"key": "abcdefg"}. When another client logs in after this, it will see that the default key has been set, and will know to use that key as the SSSS key.

Potential issues

If secrets are encrypted using a key that is not marked as default, a client might not decrypt the secrets, even if it would otherwise be able to.

Alternatives

Rather than solely relying on the key marked as default, a client could guess at what key to use. For example, it could look at the secrets that it needs, see what keys they are encrypted with, and if there is only one common key, then it could use that. (This is what Element currently does.) Or if there are multiple keys, it could use some sort of heuristic to pick a key. However, this approach can be error-prone, and it is better to rely on an explicit marking.

Security considerations

None

Unstable prefix

An unstable prefix is not needed for a behaviour change in choosing the key to use as there are no event/endpoint changes.

Some clients already omit the name field (notably, matrix-js-sdk unintentionally does this -- mea culpa), and this does not seem to be causing issues, so an unstable prefix seems unnecessary for this.