E2E impl guide: check ids in device query

Update the E2E impl guide to note that the user_id and device_id returned from
a device query need to be checked.
pull/977/head
Richard van der Hoff 8 years ago
parent 4c008a4771
commit 157e51fbc9

@ -399,13 +399,19 @@ and the corresponding signature for the ``signature`` parameter. If the
signature check fails, no further processing should be done on the signature check fails, no further processing should be done on the
device. device.
The client should check if the ``user_id``/``device_ie`` correspond to a device The client must also check that the ``user_id`` and ``device_id`` fields in the
object match those in the top-level map [#]_.
The client should check if the ``user_id``/``device_id`` correspond to a device
it had seen previously. If it did, the client **must** check that the Ed25519 it had seen previously. If it did, the client **must** check that the Ed25519
key hasn't changed. Again, if it has changed, no further processing should be key hasn't changed. Again, if it has changed, no further processing should be
done on the device. done on the device.
Otherwise the client stores the information about this device. Otherwise the client stores the information about this device.
.. [#] This prevents a malicious or compromised homeserver replacing the keys
for the device with those of another.
Sending an encrypted event Sending an encrypted event
-------------------------- --------------------------

Loading…
Cancel
Save