Merge pull request #411 from matrix-org/rav/e2e_impl/check_user_ids

E2E impl guide: check ids in device query
2025-12-24 09:58:38 +01:00 · 2016-10-19 11:45:15 +01:00 · 2016-10-19 11:45:15 +01:00 · d93ef05f5e
parent 4d221bf77d 157e51fbc9
commit d93ef05f5e
1 changed files with 7 additions and 1 deletions
--- a/supporting-docs/guides/2016-10-18-e2e_implementation.rst
+++ b/supporting-docs/guides/2016-10-18-e2e_implementation.rst
@ -399,13 +399,19 @@ and the corresponding signature for the ``signature`` parameter. If the
 signature check fails, no further processing should be done on the
 device.

-The client should check if the ``user_id``/``device_ie`` correspond to a device
+The client must also check that the ``user_id`` and ``device_id`` fields in the
+object match those in the top-level map [#]_.
+
+The client should check if the ``user_id``/``device_id`` correspond to a device
 it had seen previously. If it did, the client **must** check that the Ed25519
 key hasn't changed. Again, if it has changed, no further processing should be
 done on the device.

 Otherwise the client stores the information about this device.

+.. [#] This prevents a malicious or compromised homeserver replacing the keys
+       for the device with those of another.
+
 Sending an encrypted event
 --------------------------