Hi, As im working on a implementation on this, and coming from OMEMO, i noticed that the case of retracting keys is not handled at all.
Questions that arise are: Lets say i have a public key of one contact and my client goes online 1) what if i get no PEP event with a public key. does that mean anything? how should we react? 2) what if i get a PEP event with a public key different to the one i was using until now? should i untrust the not anymore distributed key? OMEMO has the same use case, as it also distributes keys via PEP, i think its also not exactly written down there, but over the time we have a convention that goes as follows 1) No PEP event means nothing, we still encrypt to the valid keys we have. This is because Server implementation of PEP are handling stuff differently Some send only PEP events if the contacts are online Some have no persistent PEP So from the fact that we didnt receive a PEP event, we can conclude exactly nothing, and certainly not that our contact wants to invalidate his published key. 2) All public keys we have from a contact that are not in the PEP event we just received are marked as untrusted immediately 3) any device that comes online has to test if the correct public key is published, and if not, it must publish the correct one immediately. Thanks Philipp
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
