Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2026-01-03 06:28:38 +01:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Clarify conditions for attack

Browse source
This commit is contained in:
Andrew Morgan 2019-06-05 13:52:02 +01:00
parent 085c5667a4
commit 8cba7adcdf
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
proposals/2078-homeserver-password-resets.md
View file

@ -5,8 +5,9 @@ send password reset tokens, and allows homeservers to implement the
functionality instead. The intention is to put less trust in the identity
server which is currently one of the most centralised components of Matrix. As
it stands, an attacker in control of a identity server can reset a user's
password if that user has registered a third-party identifier (3PID) with that
identity server, due to itself also handling the job of confirming the user's
password if the identity server is considered trusted by that homeserver, and
the user has registered at least one third-party identifier (3PID). This is due
to the identity server currently handling the job of confirming the user's
control of that identity.
The MSC aims to simply clarify that homeservers can take on the responisibility