MSC2472: Symmetric SSSS

[uhoreg]

Rendered

[auscompgeek]

Were AEAD modes such as GCM considered?

[uhoreg]

I believe GCM was considered earlier when e2ee was originally being implemented, but there was lack of support in some libraries. It may be better supported now, but I'd rather not add another encryption mode to the mix (we already use CBC and CTR), and stick with things that we're already using where possible. In the future, we may at some point do a bulk review of the encryption that we use and switch things across the board at that time, but for now, I think it's better to stay with things that we already use.

[ara4n]

this lgtm; i'd suggest proposing a merge tbh.

[turt2live]

looks sane, and I trust others will verify the cryptobits much more closely than I am here.

[turt2live]

@mscbot fcp merge

[mscbot]

Team member @turt2live has proposed to merge this. The next step is review by the rest of the tagged people:

• @dbkr
• @uhoreg
• @turt2live
• @ara4n
• @anoadragon453
• @richvdh
• @erikjohnston
• @KitsuneRal

Once at least 75% of reviewers approve (and there are no outstanding concerns), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for information about what commands tagged team members can give me.

[dbkr]

Updating the 1946 proposal to say the same thing seems quite confusing - I'd have probably either left it in and marked it as superseded or deleted it rather than have duplicated content.

Looks fine otherwise though.

[anoadragon453]

Agree as well that copying the contents and modifying them in this MSC and putting a "superseded" warning in the old MSC would've been clearer, but oh well.

We should link the implementations of this, though that may be a lot of different PRs. Instead, I'll just mention that this has been implemented in Riot Web (riot-web, matrix-react-sdk, matrix-js-sdk), RiotX Android and Riot iOS.

[uhoreg]

I've made a couple of update:

• keys don't need to be signed any more since they're trusted on the basis of us having the secret key (this was only necessary when using an asymmetric algorithm)
• added some information so that we can check the key before we try to use it

As far as modifying the text of the original MSC, I'm not sure what's the best way to do it, and am open to suggestions. I think that all approaches have some sort of downside. I wanted to do it in a way that there was one document that people could look at to get the current recommendation, and to have something explaining the rationale behind the change.

[uhoreg]

Implemented in Riot-web by matrix-org/matrix-js-sdk#1238 and matrix-org/matrix-js-sdk#1294

@ara4n can you convert your "lgtm" to a ✔️ ?

[richvdh]

seems entirely plausible to me. I'm assuming that other people have thought about the crypto aspects of this.

[mscbot]

🔔 This is now entering its final comment period, as per the review above. 🔔

[mscbot]

The final comment period, with a disposition to merge, as per the review above, is now complete.

[turt2live]

Somehow this missed the list of things that passed FCP

[uhoreg]

Merged! 🎉

[richvdh]

Updating the 1946 proposal to say the same thing seems quite confusing - I'd have probably either left it in and marked it as superseded or deleted it rather than have duplicated content.

Coming back here three years later: +1 to this. It confused me greatly: let's not do that again. Or if we do, let's at least leave a note on the original PR to say what happened. (Now done for MSC1946.)