change how we mark the default key, and make sure clients trust keys

2026-02-04 05:13:42 +01:00 · 2019-10-25 15:00:23 -04:00 · 2019-10-25 15:00:23 -04:00 · 86eccc3bc8
parent b27f6985b2
commit 86eccc3bc8
1 changed files with 11 additions and 5 deletions
--- a/proposals/1946-secure_server-side_storage.md
+++ b/proposals/1946-secure_server-side_storage.md
@ -48,11 +48,17 @@ A key with ID `abcdefg` is stored in `m.secret_storage.key.abcdefg`
 }
 ```

-If a key has the `name` property set to `m.default`, then this key is treated as
-the default key for the account.  The default key is the one that all secrets
-will be encrypted with, and that clients will try to use to decrypt data with,
-unless the user specifies otherwise.  Only one key can be marked as the default
-at a time.
+A key can be marked as the "default" key by setting the user's account_data
+with event type `m.secret_storage.default_key` to the ID of the key.  The
+default key will be used to encrypet all secrets that the user would expect to
+be available on all their clients.  Unless the user specifies otherwise,
+clients will try to use the default key to decrypt secrets.
+
+Clients MUST ensure that the key is trusted before using it to encrypt secrets.
+One way to do that is to have the client that creates the key sign the key
+description (as signed JSON) using the user's master cross-signing key.
+Another way to do that is to prompt the user to enter the passphrase and ensure
+that the generated private key correponds to the public key.

 #### Secret storage