clarify which signature to check (#3573)

pull/977/head
Hubert Chathi 3 years ago committed by GitHub
parent 0fbc6bdab6
commit 71988263f3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -0,0 +1 @@
Clarify which signature to check when decrypting `m.olm.v1.curve25519-aes-sha2` messages.

@ -1461,11 +1461,11 @@ user, and `recipient_keys` to the local ed25519 key.
Clients must confirm that the `sender_key` and the `ed25519` field value
under the `keys` property match the keys returned by [`/keys/query`](/client-server-api/#post_matrixclientv3keysquery) for
the given user, and must also verify the signature of the payload.
Without this check, a client cannot be sure that the sender device owns
the private part of the ed25519 key it claims to have in the Olm
payload. This is crucial when the ed25519 key corresponds to a verified
device.
the given user, and must also verify the signature of the keys from the
`/keys/query` response. Without this check, a client cannot be sure that
the sender device owns the private part of the ed25519 key it claims to
have in the Olm payload. This is crucial when the ed25519 key corresponds
to a verified device.
If a client has multiple sessions established with another device, it
should use the session from which it last received and successfully

Loading…
Cancel
Save