[messaging] Encrypted Pulic Contact Discovery

Matthew Hodgson matthew at matrix.org
Wed Aug 19 15:09:16 PDT 2015


I guess we have been considering injecting fake mappings as a serious attack. If the main trusted auth provider claims that Bill Gates' personal phone number should route to @matthew:matrix.org or xmpp:matthew at matrix.org or whatever, I will end up intercepting all of his messages... unless there is a solid reputation system either for auth providers or for the endpoints. This feels like a pretty big problem, if a single auth provider can be compromised or temporarily go rogue and start adding malicious mappings; hence looking for a way to try to keep folks honest.

-- 
Matthew Hodgson
matrix.org

> On 19 Aug 2015, at 20:01, steve at actor.im wrote:
> 
> Hi, Matthew
> 
> It seems that we can reduce power of auth provider. As we always rely on SMS-gates for auth and they are already much more powerfull in this case. Plus gate can only add fake numbers. What's a problem with it?
> 
> For building secure we need more that only single auth provider. For securing some accounts people can use 2FA.
> 
> Steve.
> 
> 19.08.2015, 19:53, "Matthew Hodgson" <matthew at matrix.org>:
>> This is similar to the decentralised identity service ideas we've been experimenting with for Matrix. The problem we've hit (which I think this scheme suffers from too) is how you choose which auth providers to trust, otherwise you end up un-decentralising the system as the defacto auth provider ends up with way too much power. Do you consider this a problem?
>> 
>> We've been looking at using something like the stellar consensus protocol to propagate trust/reputation between the auth providers - or limiting ourselves to email and piggybacking on top of DKIM like webfist/webfinger.
>> 
>> p.s. does anyone know how dead/alive webfist is, and whether/why it failed?
>> 
>> --
>> Matthew Hodgson
>> matrix.org
>> 
>>>  On 19 Aug 2015, at 17:26, steve at actor.im wrote:
>>> 
>>>  Hello everyone!
>>> 
>>>  Just finished small article about one idea of secure contact discovery: https://medium.com/@ex3ndr/encrypted-public-contact-discovery-95cfa0a0f6c7
>>> 
>>>  Steve.
>>>  _______________________________________________
>>>  Messaging mailing list
>>>  Messaging at moderncrypto.org
>>>  https://moderncrypto.org/mailman/listinfo/messaging


More information about the Messaging mailing list