Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

include explicit client-side checks of incoming messages #120

Open
1 task
indomitableSwan opened this issue Sep 1, 2022 · 0 comments
Open
1 task

include explicit client-side checks of incoming messages #120

indomitableSwan opened this issue Sep 1, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@indomitableSwan
Copy link
Contributor

indomitableSwan commented Sep 1, 2022
edited by marsella
Loading

The spec does not specify that the client should validate all incoming messages from the key server. This could be viewed as an implementation detail, but it should be at least specified as implementation guidance. (Particularly because there was an attempt to specify the key server validation requirements concretely. On the other hand, this may be a mistake, because the implementor should probably check these carefully for completeness.)

Some specific points:

  • In retrieve, the client gets back a secret + associated data and decrypts it. They should check the associated data is correct (e.g. includes the user id and key id they requested)
@indomitableSwan indomitableSwan added the bug Something isn't working label Sep 1, 2022
@indomitableSwan indomitableSwan mentioned this issue Sep 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@indomitableSwan