Message signing slash encryption

[MegaApuTurkUltra]

pls and thanks

[PullJosh]

You'll have to excuse my naivety, but how does that sort of thing work? :3

[bates64]

@PullJosh magic. ✨

[joker314]

So would users upload keys to the client in the user settings section, and then it just signs the message? We should add some kind of "Verified" symbol then, next to the message, to show it was signed -- like GitHub.

How, though, do we exchange public keys -- and make sure they are associated to particular user accounts?

[MegaApuTurkUltra]

^ this is a problem not even matrix has solved yet. For now, we could give users a dialog with key fingerprints and ask them to click verify or blacklist kind of like matrix. Later on, we could support a web of trust where admins can sign other people's keys and then those people can sign other keys etc, kind of like GPG

[joker314]

Sounds good! I assume we store keys in localStorage (that way no server can get their evil hands on them) [as well as the verified/blacklisted data, it can't be stored on the server because then they could verify an evil signature]

I'm quite interested in implementing this, but I'd be really bad at it because I'm not familiar with the codebase. @towerofnix is assigned, so I'm happy to leave it to them to implement (if they want to).

[bates64]

@joker314 wait for preact (#259) to be done before trying to implement this; it's pointless otherwise - plus the rewritten client/decent.js is a lot simpler.

We may want to consider adding ?string message.signature to the 1.0.0-preview spec, or add it in a minor release 1.1.0.