Skip to content

Commit 37b1e17

Browse files
richvdhrichvdh
committed
MSC2076: Enforce key-validity periods when validating event signatures
1 parent 9cb60fa commit 37b1e17

File tree

1 file changed

+42
-0
lines changed

1 file changed

+42
-0
lines changed

proposals/2076-enforce-validity-periods.md

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
# MSC2076: Enforce key-validity periods when validating event signatures
2+
3+
## Background
4+
5+
The [Federation API
6+
specification](https://matrix.org/docs/spec/server_server/r0.1.1.html#validating-hashes-and-signatures-on-received-events)
7+
specifies that events should be validated via the signature verification
8+
algorithm, but does not specify how the keys for that check should be obtained
9+
and validated.
10+
11+
In practice, the implementation has been as follows. The receiving server
12+
first requests a copy of the key via the [`GET /_matrix/key/v2/server/`
13+
API](https://matrix.org/docs/spec/server_server/r0.1.1.html#get-matrix-key-v2-server-keyid)
14+
directly from the server which created the signature, or via the [`POST
15+
/_matrix/key/v2/query` API](https://matrix.org/docs/spec/server_server/r0.1.1.html#post-matrix-key-v2-query)
16+
from a trusted key server. Once such a key is obtained, it is then cached
17+
forever. No check is made on the `valid_until_ts` field, and
18+
`minimum_valid_until_ts` is set to zero for calls to `POST
19+
/_matrix/key/v2/query`.
20+
21+
This is highly unsatisfactory, as it means that, should a key be compromised,
22+
then an attacker can spoof arbitrary events claiming to be from the compromised
23+
server forever, since there is no revocation mechanism.
24+
25+
## Proposal
26+
27+
This MSC proposes to enforce the `valid_until_ts` property when validating
28+
event signatures. In particular, the server must ensure that it has a copy of
29+
the key with a `valid_until_ts` at least as large as the `origin_server_ts` of
30+
the event being validated. If it does not have such a copy, it must try to
31+
obtain one via the `GET /_matrix/key/v2/server/` or `POST
32+
/_matrix/key/v2/query` APIs. For the latter, it must set
33+
`minimum_valid_until_ts` to prompt the notary server to attempt to refresh the
34+
key if appropriate.
35+
36+
Since this changes the rules used to validate events, it will be introduced
37+
with a new room version. This will reduce the risk of divergence between
38+
servers in a room due to some servers accepting events which others reject.
39+
40+
This MSC also proposes that the current situation - where `valid_until_ts` is
41+
ignored - be formalised for the existing room versions v1-v4, rather than be
42+
left as implementation-specific behaviour.

0 commit comments

Comments
 (0)