-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC4114: Matrix as a password manager #4114
base: main
Are you sure you want to change the base?
MSC4114: Matrix as a password manager #4114
Conversation
02fe189
to
9ab6411
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see some very major flaws with this around the security of the secrets. This feels like a excel spreadsheet with metadata added :/ Thats against any modern security recommendation.
sorting data in the UI but are not required to do so. | ||
|
||
`m.secret` events are not meant to be used in rooms other than those of type | ||
`m.vault.secret` and should always be encrypted. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe I'm just scarred from the last 7 or so years that we had regular UTDs, but I'm still scared to lose my passwords this way, even with SSSS. MSC4114-based password managers should really offer an offline encrypted backup feature, but I'm not certain the spec may see it in it's area of responsibility.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, agreed. This sounds like a great point to add to the "Potential issues" section.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this proposition for the concept of sharing for passwords this might enable, which seems much nicer than what my experience has been with bitwarden and keepass2. However it is ironic that matrix with it's required secondary password which will even be needed to access the encrypted passwords here, basically requires another password manager. It's a bit of a hen-and-egg problem.
sorting data in the UI but are not required to do so. | ||
|
||
`m.secret` events are not meant to be used in rooms other than those of type | ||
`m.vault.secret` and should always be encrypted. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will basically require clients to implement key sharing with other users on invite so you can invite them after having created a secret. I'm not sure this is a hard requirement in the Matrix Spec currently, but something to point out to clients for this use case.
Rendered
Implementations:
In line with matrix-org/matrix-spec#1700, the following disclosure applies:
I am a Systems Architect at gematik, Software Engineer at Unomed, Matrix community member and former Element employee. This proposal was written and published with my community member hat on.