Document missing parts of E2E

[Zil0]

This is a step towards fixing #501, by merging what has already be written long ago by @richvdh in https://github.com/matrix-org/matrix-doc/tree/drafts/e2e.
Since this branch has long diverged, I had to resort to copy-pasting...

Opening this because I think I will need feedback as I go. Please do not merge until I remove the WIP tag. I think it will need squashing at some point anyway.

Signed-off-by: Valentin Deniaud <valentin.deniaud@inpt.fr>

[Zil0]

Some specific questions:

• 9973445 is this correct? if yes, is it clear?
• e83a955 does this need more detail? Is it the last thing that was missing from the olm section?

[Zil0]

I suppose this is not a good solution according to the comment below? But I can't really see why.

[Zil0]

I didn't want to change the beginning of the sentence, but I don't think it is very clear since it feels weird to say "clients must do something they maybe can't".
How about starting the sentence with "When a device is verified, clients must confirm..."?

[uhoreg]

One way to deal with this would be to separate key verification from verifying that it matches result /keys/query. So you could say something like "Clients must confirm that the sender_key matches the keys returned by /keys/query for the given user. This can be done by ..."

[Zil0]

How about:

Clients must confirm that the sender_key and the ed25519 field value under the keys property matches the keys returned by /keys/query for the given user, and verify the signature of the payload. Without this check, a client cannot be sure that the sender device owns the private part of the ed25519 key it claims to have in the Olm payload.
This is crucial when the ed25519 key corresponds to a verified device.

[uhoreg]

I would change "and verify" to "and must also verify" since the first sentence is a bit long, and the "must also" will link it with the "Clients must" at the beginning of the sentence. But other than that, it sounds good.

[Zil0]

Done :)

[Zil0]

I'll need swagger/yaml advice here. This results in the Type column saying object or string, when I want it to say CiphertextInfo or string, documenting the CiphertextInfo object as I would do with

type: object
title: CiphertextInfo
properties:
  ciphertext: ...

How can I do this?

[turt2live]

Could try putting title at the same level as type:

type:
  - object
  - string
title: CiphertextInfo

Otherwise I think you'll also need to specify the properties.

[KitsuneRal]

@Zil0, this is not quite about Swagger, rather about JSON Schema which Swagger uses to define object schemas. You need oneOf: https://spacetelescope.github.io/understanding-json-schema/reference/combining.html

[Zil0]

Thank you both for your input.

@turt2live when doing this, CiphertextInfo is simply ignored.

@KitsuneRal it fails with Error reading property None.ciphertext: 'type' in scripts/templating/matrix_templates/units.py:280 when I do:

      ciphertext:
        description: |-
          Normally required. The encrypted content of the event.
        oneOf:
          - type: string
          - type: object
            title: CiphertextInfo
            properties:
              sender_key:
                type: string

type seems like a required key. If I put object as a wild guess, oneOf is ignored.

For the record the first thing I tried fails with mapping values are not allowed here which is thrown by yaml:

      ciphertext:
        description: |-
          Normally required. The encrypted content of the event.
        type:
          - string
          - object
            title: CiphertextInfo
            properties:
              sender_key:
                type: string

[KitsuneRal]

My first thought was the same as yours except that you can't miss strings and mapping pairs, so it should have been type: object instead of just object. Given that it's type inside type I'm unsure of that works either. As for the case with oneOf, you may try to wrap it in another type - I believe chances should be better then.

[KitsuneRal]

I'm not sure but that might work: https://github.com/QMatrixClient/matrix-doc/tree/support_oneOf

[Zil0]

Thanks for looking into this! Sadly it doesn't build master for me (I cloned your fork).
local variable 'prop_title' referenced before assignment, and other errors after adding back the else:. I don't feel like debugging this right now :/

[KitsuneRal]

Sorry for throwing dysfunctional code at you. I've fixed this and a couple of other errors, gendoc.py should work fine now (just pull the latest changes from the same branch of mine).

There's a formal problem with this, however: turned out that Swagger/OpenAPI 2 only uses allOf from JSON Schema but not oneOf. OpenAPI 3 fixes this, adding oneOf, anyOf etc. to the list of borrowings from JSON Schema. So basically the options are:

1. Assume and document an "extension" to OpenAPI 2 (similar to Clarification on third party fields #1414)
2. Wait until we switch to OpenAPI 3 (watch [WIP] Upgrade to OpenAPI/Swagger 3.0 #1446) - this will require all the scripts to be upgraded anyway to support its new features.
3. Stay with the limited [ object, string ] syntax (it's not the first such case, by the way - I see something similar in client-server/definitions/push_rule.yaml).

Given that it's a pure formality, I'd probably recommend option 1.

[Zil0]

Thanks! It works great. Option 1 seems good, will you open a separate PR? I'll rebase this one on your branch for now.

[KitsuneRal]

I will, and I guess it's a good idea to rebase your branch on mine (now that mine is rebased on master).

[Zil0]

I have a very general question that applies to other parts too: what is the rule of thumb here for saying "For example"?
The way I see it, there is no other supported encryption protocol. If a client implements one, it would be a spec extension, hence not covered by the spec. Another way of putting this is, if a client implements, say rot13 as an encryption algorithm to be used in rooms, it would conform to the spec, while having a non-working end-to-end encryption behavior in the Matrix world; isn't that a problem?
As a result of those thoughts I would have put at least "Should be" instead of "For example", had it not be written before.
Note that the guide clearly states that only Megolm is supported as a value here https://matrix.org/docs/guides/e2e_implementation.html#id32

[uhoreg]

This is usually done by using the enum property, which is just an array of allowed values. You can see an example of it at https://github.com/matrix-org/matrix-doc/blob/master/api/client-server/receipts.yaml#L52, or you can find other examples by just grepping for "enum".

[Zil0]

Yup, totally what I was looking for, thanks.

[Zil0]

I'm mostly done with this, modulo eventual omissions and wording issues. With #1420, I think the last missing bit is key sharing, and then #501 can hopefully be closed?

Please answer the questions I left as review comments (even the ones marked Outdated by GitHub).

Fix #589, #590 (see here), #1200, #1171, #1157. Partially fix #1212, as it does not include the S2S part.

[Zil0]

Why "normally"?

[richvdh]

good question.The spec now says "Required. Normally required."

Let's get rid of "Normally required."

[Zil0]

We probably don't want to keep those super-long strings, right?

[uhoreg]

Yeah, for examples, keep it short.

[uhoreg]

Looks pretty good so far, as far as I can tell. My suggestions are mostly minor wording changes.

[uhoreg]

Maybe say "Required with Megolm" rather than "Only present with Megolm"?

[uhoreg]

add enum: ["m.megolm.v1.aes-sha2"]

[uhoreg]

Also mention that they're typically sent as to-device events.

[uhoreg]

"The ID of the session that the key is for."?

[uhoreg]

I'd say "Implementations wanting to experiment with new algorithms must be uniquely globally namespaced following Java's package naming conventions." (with the wording copied from https://matrix.org/docs/spec/#events)

[uhoreg]

Maybe replace the last sentence with a pointer to the "Messaging Algorithms" section, because I think it needs more than what fits in the description. Perhaps "For more details, see ..."

[Zil0]

Appended rather than replaced, since this last part was used to explain the Type column.

[richvdh]

"directly" doesn't really make sense here. You could say "Either the encrypted payload itself, in the case of...", or just get rid of "directly".

[uhoreg]

I'm not sure that "Bob expects to be notified" is accurate or necessary. I'd just say "Bob will not be notified of thes change as he doesn't share a room anymore with Alice."

[uhoreg]

The "its" in "its normal processing" should probably be changed to "his" as it refers to Bob.

[uhoreg]

"every time" should be two words, and maybe add ", and vice versa" to the end of this sentence. I don't really understand this paragraph, though.

[Zil0]

The explanation for this paragraph is here https://matrix.to/#/!uewiilduiDRfPomIha:matrix.org/$153201826312709avXKR:matrix.org.

[uhoreg]

OK, I see. It's a bit unclear the way it's worded right now, but it's a bit tricky to word correctly. Maybe something like: "For optimal performance, Alice should be added to changed in Bob's sync only when she adds a new device, or when Alice and Bob now share a room but didn't share any room previously. However, for the sake of simpler logic, a server may add Alice to changed when Alice and Bob share a new room, even if they previously already shared a room."

[uhoreg]

Bob will also be added to Alice's the changed set if Alice joins a new room with Bob, not just if Bob joins a new room with Alice. So I'd change it to: "List of users who have updated their device identity keys, or who now share an encrypted room with the client since the previous sync response."

[Zil0]

Right, don't think I ever noticed this :/

[uhoreg]

I'm not sure if "DH ratchet" is the right term.

[richvdh]

https://signal.org/docs/specifications/doubleratchet/#diffie-hellman-ratchet does describe the root key ratchet as a "Diffie-Hellman ratchet", so I'd say it's a reasonable term.

On the other hand maybe it would be clearer to say "Curve25519 for the root key ratchet" / "HMAC-SHA-256 for the chain key ratchet".

<shrug> I don't suppose it really matters. The point is simply to list the encryption primitives so that if someone finds a vulnerability in SHA-256 tomorrow you can see what's affected.

[Zil0]

Applied your suggestions and cleaned-up commit history.

[richvdh]

looks awesome! A couple of niggles it would be great to fix if you get a minute

[richvdh]

good question.The spec now says "Required. Normally required."

Let's get rid of "Normally required."

[richvdh]

"directly" doesn't really make sense here. You could say "Either the encrypted payload itself, in the case of...", or just get rid of "directly".

[richvdh]

I think you want "Messaging Algorithms" rather than "Messaging Algorithm Names".

[richvdh]

most of the other event examples don't include "unsigned", and I think that's a good pattern to follow, because it will only appear when you use certain APIs to retrieve the event.

[richvdh]

"She is not able"

[richvdh]

https://signal.org/docs/specifications/doubleratchet/#diffie-hellman-ratchet does describe the root key ratchet as a "Diffie-Hellman ratchet", so I'd say it's a reasonable term.

On the other hand maybe it would be clearer to say "Curve25519 for the root key ratchet" / "HMAC-SHA-256 for the chain key ratchet".

<shrug> I don't suppose it really matters. The point is simply to list the encryption primitives so that if someone finds a vulnerability in SHA-256 tomorrow you can see what's affected.

[richvdh]

this is only actually true if we were sending in-room events; if it's a to-device event it's omitted. We should probably say that.

[Zil0]

Since we're never sending Olm in-room event, I think it would just be confusing. I'll move the sentence to the Megolm subsection where it should have been in the first place.

[richvdh]

guarantee.

And "behaviour", since we prefer British English

[Zil0]

I'll change this according to what @uhoreg has written here #1284 (comment).

[Zil0]

Rebased on master and made an attempt at newsfragment.

Apparently newsfragments as specified in Towncrier's doc use issue numbers but we are using PR numbers, so issue_format in https://github.com/matrix-org/matrix-doc/blob/master/changelogs/client_server/pyproject.toml should probably be changed to /pull/.

[turt2live]

Looks like your feature fragment got an rst extension.

A bit of background on why /issues/ was chosen: in the unlikely/rare case we need to reference something by issue then we don't need to go spelunking in the depths of the build process. Github does support an automatic redirect, which is being (ab)used here.

[richvdh]

\o/