Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2025-12-24 01:58:36 +01:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Remove attacker bit

Browse source
This commit is contained in:
Andrew Morgan 2019-06-05 12:52:01 +01:00
parent 4e692735f5
commit c9711acbc5
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
proposals/2078-homeserver-password-resets.md
View file

@ -1,6 +1,6 @@
# MSC2078 - Sending Password Reset Emails via the Homeserver
This MSC proposes removing the current requirement of the identity server to send password reset tokens, and allows homeservers to implement the functionality instead. The intention is to put less trust in the identity server which is currently one of the most centralised components of Matrix. As it stands, an attacker in control of a identity server can reset a user's password if that user has registered a third-party identifier (3PID) with that identity server, due to itself also handling the job of confirming the user's control of that identity.
This MSC proposes removing the current requirement of the identity server to send password reset tokens, and allows homeservers to implement the functionality instead. The intention is to put less trust in the identity server which is currently one of the most centralised components of Matrix.
The MSC aims to simply clarify that homeservers can take on the responisibility of sending password reset tokens themselves.