This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Synapse exposes trusted_key_servers through the /key/v2/query endpoint #8441
Labels
O-Frequent
Affects or can be seen by most users regularly or impacts most users' first experience
S-Tolerable
Minor significance, cosmetic issues, low or no impact to users.
T-Defect
Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Z-Help-Wanted
We know exactly how to fix this issue, and would be grateful for any contribution
Comments
richvdh
added
Z-Help-Wanted
erikjohnston
added
S-Tolerable
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Synapse has a
trusted_key_serversconfig option which indicates where the server should reach out to acquire keys from. Most deployments will be able to reach out to the server directly, but in some cases they get verifiably-accurate keys from their trusted key servers.By using the
/key/v2/queryendpoint, it is possible to see which servers the homeserver has decided to trust. For example, it is clear that matrix.org doesn't trust anyone except itself based upon its answer to querying t2bot.io (the server name being queried doesn't matter much, as long as it's remote and usually online). Mozilla on the other hand can clearly be seen as trusting matrix.org in its response to the same query - the trust is shown via two query responses, one of which happens to be signed by matrix.org, indicating it originated from there.There is no need for
/key/v2/queryto include the signature from the upstream notary server; it should strip it out, either before storing the key inserver_keys_jsonor when serving it up.The text was updated successfully, but these errors were encountered: