-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth for content repo (and enforcing GDPR erasure) #3796
Comments
Actually, E2E provides quite an elegant solution for this, in that you can't decrypt the content if you don't have the keys. (Then again, from a corp security perspective they prolly don't even want you downloading the encrypted data) -- @ara4n |
Synapse-side issue at https://github.com/matrix-org/synapse/issues/2150 |
I don't think this has been answered somewhere, so asking here in hopes people have ideas: How would federated media work? In theory the server could start signing requests to download media, although that doesn't really guarantee that the person making the request is allowed to do so (ie: is in the room). With the upcoming introduction of users being linked to key-like objects, we could possibly use those to sign the requests, however there's nothing to stop a server lying about which user is requesting the media. Then there's the question of the user potentially wanting specific media being publicly accessible. The primary use case being the IRC bridge which pastebins long messages. |
let's discuss this over at |
see also #2461 which is an alternative proposal. |
Formerly MSC701.
Documentation: https://docs.google.com/document/d/1ERHpmthZyspnZtE3tQzxKTkcxar6JANeyNXgz2_djhA/edit#
Author: @ara4n
Date: 2018-06-04
The media repository is currently unauthed; anybody can access posted images, avatars, etc, if they know the URI.
Submitted by @matthew:matrix.org
(Imported from https://matrix.org/jira/browse/SPEC-445)
The text was updated successfully, but these errors were encountered: