From 3908f07d00c5fce6a23b3b98b37f56b21a137c21 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Thu, 3 Feb 2022 14:21:25 +0000
Subject: [PATCH 1/7] Initial deprecate sender key MSC

---
 proposals/3700-deprecate-sender-key.md | 66 ++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 proposals/3700-deprecate-sender-key.md

diff --git a/proposals/3700-deprecate-sender-key.md b/proposals/3700-deprecate-sender-key.md
new file mode 100644
index 00000000000..0132f3aa36a
--- /dev/null
+++ b/proposals/3700-deprecate-sender-key.md
@@ -0,0 +1,66 @@
+# MSC3700: Deprecate plaintext sender_key
+
+This MSC proposes to deprecate superfluous fields from the plaintext event
+content of encrypted events, increasing privacy and enhancing security.
+
+An encrypted message that uses an algorithm of `m.megolm.v1.aes-sha2` (such as
+an `m.room.encrypted` event) contains the following plain text keys in its
+contents: `algorithm`, `session_id`, `sender_key` and `device_id`. Both the
+`algorithm` and `session_id` are required for clients to be able to decrypt the
+ciphertext: the algorithm explains how to decrypt and the session ID says which
+session to use to decrypt the ciphertext.
+
+The `sender_key` and `device_id` are currently used by clients to store and
+lookup sessions in addition to the `session_id`, however the `session_id` is
+globally unique and so no disambiguation using `sender_key` or `device_id` is
+needed.
+
+Session IDs are encoded ed25519 public keys; when new sessions are shared they
+will be signed by the associated private key.
+
+## Proposal
+
+The `sender_key` and `device_id` in `m.megolm.v1.aes-sha2` message contents are
+deprecated. Clients must ignore those fields when processing events, but should
+still include the fields when generating events to maintain backwards
+compatibility. At a future time the fields will stop being included.
+
+Clients must store and lookup sessions based purely on the session ID.
+
+When updating an existing session key, clients must ensure:
+1. that the updated session data comes from a trusted source, e.g.
+either the session data has a) a valid signature, or b) comes from the user’s
+session key backup; and
+2. that the new session key has a lower message index than the existing session
+   key.
+
+When clients receive an encrypted event with an unknown session they will need
+to send a key request to all clients, rather than the device specified by
+`sender_key` and `device_id`. This is the current behaviour used by Element
+clients.
+
+### Benefits
+
+There are two main benefits of removing the `sender_key` and `device_id`:
+enhanced privacy and better security.
+
+Including these extra fields leaks which device was used to send the message,
+and so removing them has an obvious privacy benefit.
+
+On the security side, these fields are untrusted as: a malicious server (or
+other man-in-the-middle (MITM) attacker) can change these values; and other
+devices/users can simply lie about these values.
+
+Currently, clients therefore need to take care to only use these values to look
+up the session. If the client needs to know the associated `sender_key` they
+must use the identity key of the Olm session that was used to send them the
+Megolm session data, and not the `sender_key` in the event contents.
+
+This is an obvious footgun, and therefore removing/ignoring these untrusted
+fields reduces the risk of security bugs being introduced.
+
+## Potential issues
+Removing the `sender_key` and `device_id` means that clients don’t know which
+remote device to ask for the session key if they don’t already have it. Instead,
+clients will need to send a key request to all devices of the event sender. This
+will also reduce the information available when debugging encryption issues.

From b594a0b20d5e9ea59d3e522e47afd636f2a68ab6 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Thu, 3 Feb 2022 14:26:09 +0000
Subject: [PATCH 2/7] Formatting

---
 proposals/3700-deprecate-sender-key.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/proposals/3700-deprecate-sender-key.md b/proposals/3700-deprecate-sender-key.md
index 0132f3aa36a..011b50e9322 100644
--- a/proposals/3700-deprecate-sender-key.md
+++ b/proposals/3700-deprecate-sender-key.md
@@ -28,9 +28,9 @@ compatibility. At a future time the fields will stop being included.
 Clients must store and lookup sessions based purely on the session ID.
 
 When updating an existing session key, clients must ensure:
-1. that the updated session data comes from a trusted source, e.g.
-either the session data has a) a valid signature, or b) comes from the user’s
-session key backup; and
+1. that the updated session data comes from a trusted source, e.g. either the
+   session data has a) a valid signature, or b) comes from the user’s session
+   key backup; and
 2. that the new session key has a lower message index than the existing session
    key.
 

From 81b38c8964af67eb157d796d317f324e96eede58 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Fri, 4 Feb 2022 14:10:21 +0000
Subject: [PATCH 3/7] Deprecate 'sender_key' in 'm.room_key_request'

---
 proposals/3700-deprecate-sender-key.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/proposals/3700-deprecate-sender-key.md b/proposals/3700-deprecate-sender-key.md
index 011b50e9322..64e3c081561 100644
--- a/proposals/3700-deprecate-sender-key.md
+++ b/proposals/3700-deprecate-sender-key.md
@@ -25,6 +25,11 @@ deprecated. Clients must ignore those fields when processing events, but should
 still include the fields when generating events to maintain backwards
 compatibility. At a future time the fields will stop being included.
 
+Similarly, the `sender_key` field in `m.room_key_request` to-device messages is
+deprecated. Clients must ignore the field when processing the request, but
+should still include it when generating *if* there is a `sender_key` field in
+the event we're requesting keys for.
+
 Clients must store and lookup sessions based purely on the session ID.
 
 When updating an existing session key, clients must ensure:

From e97461ac7a0bb39f7196c10269bd652b32bf5b8d Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Wed, 23 Mar 2022 10:10:41 +0000
Subject: [PATCH 4/7] Update proposals/3700-deprecate-sender-key.md

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
---
 proposals/3700-deprecate-sender-key.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/proposals/3700-deprecate-sender-key.md b/proposals/3700-deprecate-sender-key.md
index 64e3c081561..97e65841247 100644
--- a/proposals/3700-deprecate-sender-key.md
+++ b/proposals/3700-deprecate-sender-key.md
@@ -3,7 +3,9 @@
 This MSC proposes to deprecate superfluous fields from the plaintext event
 content of encrypted events, increasing privacy and enhancing security.
 
-An encrypted message that uses an algorithm of `m.megolm.v1.aes-sha2` (such as
+An encrypted message that uses an algorithm of 
+[`m.megolm.v1.aes-sha2`](https://spec.matrix.org/v1.2/client-server-api/#mmegolmv1aes-sha2)
+(such as
 an `m.room.encrypted` event) contains the following plain text keys in its
 contents: `algorithm`, `session_id`, `sender_key` and `device_id`. Both the
 `algorithm` and `session_id` are required for clients to be able to decrypt the

From 2eb74bf9d238af30569de17fd7668860f48c1adb Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Wed, 23 Mar 2022 10:11:15 +0000
Subject: [PATCH 5/7] Update proposals/3700-deprecate-sender-key.md

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
---
 proposals/3700-deprecate-sender-key.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/proposals/3700-deprecate-sender-key.md b/proposals/3700-deprecate-sender-key.md
index 97e65841247..607ffb6fffd 100644
--- a/proposals/3700-deprecate-sender-key.md
+++ b/proposals/3700-deprecate-sender-key.md
@@ -17,8 +17,8 @@ lookup sessions in addition to the `session_id`, however the `session_id` is
 globally unique and so no disambiguation using `sender_key` or `device_id` is
 needed.
 
-Session IDs are encoded ed25519 public keys; when new sessions are shared they
-will be signed by the associated private key.
+Session IDs are encoded ed25519 public keys. In particular, the session ID is the
+public part of the key used to sign the session when it is shared.
 
 ## Proposal
 

From c080d7ebfddd608972dbd0f4a0760fa64895c87e Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Wed, 23 Mar 2022 10:13:49 +0000
Subject: [PATCH 6/7] Formatting

---
 proposals/3700-deprecate-sender-key.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/proposals/3700-deprecate-sender-key.md b/proposals/3700-deprecate-sender-key.md
index 607ffb6fffd..066d031f002 100644
--- a/proposals/3700-deprecate-sender-key.md
+++ b/proposals/3700-deprecate-sender-key.md
@@ -3,11 +3,10 @@
 This MSC proposes to deprecate superfluous fields from the plaintext event
 content of encrypted events, increasing privacy and enhancing security.
 
-An encrypted message that uses an algorithm of 
+An encrypted message that uses an algorithm of
 [`m.megolm.v1.aes-sha2`](https://spec.matrix.org/v1.2/client-server-api/#mmegolmv1aes-sha2)
-(such as
-an `m.room.encrypted` event) contains the following plain text keys in its
-contents: `algorithm`, `session_id`, `sender_key` and `device_id`. Both the
+(such as an `m.room.encrypted` event) contains the following plain text keys in
+its contents: `algorithm`, `session_id`, `sender_key` and `device_id`. Both the
 `algorithm` and `session_id` are required for clients to be able to decrypt the
 ciphertext: the algorithm explains how to decrypt and the session ID says which
 session to use to decrypt the ciphertext.
@@ -17,8 +16,8 @@ lookup sessions in addition to the `session_id`, however the `session_id` is
 globally unique and so no disambiguation using `sender_key` or `device_id` is
 needed.
 
-Session IDs are encoded ed25519 public keys. In particular, the session ID is the
-public part of the key used to sign the session when it is shared.
+Session IDs are encoded ed25519 public keys. In particular, the session ID is
+the public part of the key used to sign the session when it is shared.
 
 ## Proposal
 

From 5e760bb73105c0aa86494b5faeca88ec93ed3d27 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Wed, 6 Apr 2022 09:48:42 +0100
Subject: [PATCH 7/7] Update language around looking up sessions

---
 proposals/3700-deprecate-sender-key.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/proposals/3700-deprecate-sender-key.md b/proposals/3700-deprecate-sender-key.md
index 066d031f002..ace6fabfb7b 100644
--- a/proposals/3700-deprecate-sender-key.md
+++ b/proposals/3700-deprecate-sender-key.md
@@ -31,7 +31,11 @@ deprecated. Clients must ignore the field when processing the request, but
 should still include it when generating *if* there is a `sender_key` field in
 the event we're requesting keys for.
 
-Clients must store and lookup sessions based purely on the session ID.
+Clients must not store or lookup sessions using the sender key or device ID.
+
+Client must continue to ensure that the event's sender and room ID fields match
+those of the looked up session, e.g. by storing and looking up session using the
+room ID and sender as well as the session ID.
 
 When updating an existing session key, clients must ensure:
 1. that the updated session data comes from a trusted source, e.g. either the