Synapse exposes trusted_key_servers through the /key/v2/query endpoint #8441
Comments
matrixbot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
matrixbot
changed the title
This issue has been migrated from #8441.
Synapse has a
trusted_key_serversconfig option which indicates where the server should reach out to acquire keys from. Most deployments will be able to reach out to the server directly, but in some cases they get verifiably-accurate keys from their trusted key servers.By using the
/key/v2/queryendpoint, it is possible to see which servers the homeserver has decided to trust. For example, it is clear that matrix.org doesn't trust anyone except itself based upon its answer to querying t2bot.io (the server name being queried doesn't matter much, as long as it's remote and usually online). Mozilla on the other hand can clearly be seen as trusting matrix.org in its response to the same query - the trust is shown via two query responses, one of which happens to be signed by matrix.org, indicating it originated from there.There is no need for
/key/v2/queryto include the signature from the upstream notary server; it should strip it out, either before storing the key inserver_keys_jsonor when serving it up.The text was updated successfully, but these errors were encountered: