reunicorn icon indicating copy to clipboard operation
reunicorn copied to clipboard
Published 2 months ago verified publisher icon LGro

Key verification

Open LGro opened this issue 7 months ago • 0 comments

Unless users have connected in person with scanning their QR code without anyone else in viewing distance of the QR code and their phones being secure, there is a chance that someone launches an in the middle attack on the two.

The most common way to verify each others identity and the integrity of the end to end encryption is to either scan a QR code (again) or compare a fingerprint in form of a human friendly mnemonic phrase or emoji. We should most certainly have something like this.

If we relax the threat scenario from potentially all contacts to be evil to some small number, can we automatically verify identities in case folks have enough shared contacts? I'm thinking contact ID public key pairs are sent to other peers that also know the contact ID and can then be "vouched for". This seems less for being absolutely certain, but more for getting a warning in case things don't line up (e.g. if two or more contacts come back with mismatched information).

LGro avatar May 25 '25 11:05 LGro