[Standards] OMEMO Key Agreement

Matthew Hodgson matthew at matrix.org
Tue Jun 6 14:58:14 UTC 2017

On 6/2/17 9:18 PM, Sebastian Verschoor wrote:

> I also noted that although Olm has been audited [9], the scope of the
>  audit only concerns the double ratchet. Given that Olm differs from
>  Signal only in the handshake, I find this strange. Has the handshake
> not been audited? Am I missing something?

The handshake was included in the scope of the DR audit (even if the 
abstract doesn't specifically call it out) - findings NCC-Olm2016-001 
and NCC-Olm2016-009 explicitly highlight the need for ephemeral keys to 
be signed, and the risk of an unknown key-share attack in the handshake. 
  We chose to mitigate these at the application level (updating the Olm 
documentation to spell out the mitigations required).

That said, as Richard said on the earlier mail, please do let us know if 
you still think Olm should be doing X3DH (possibly off-list, as it's 
increasingly non-OMEMO/XMPP specific :)


Matthew Hodgson

More information about the Standards mailing list