Matrix: a new specification for federated realtime chat

Matrix: a new specification for federated realtime chat

Can you do encrypting messages in the client and just make it very standardized behavior by recommending the clients behave in a particular way?

Yup, this is precisely the idea. The catch is that you need to define how users' keys are distributed (PKI using centralised or federated keyservers? or PERSPECTIVEs? or some kind of per-session ephemeral keys? are they ratcheted?); you may need to define the mechanism for securely sharing a symmetric key for the room's content between the participants, or define the strategy for encrypting messages using all the participants keys. Do multiple devices for the same user share the same keys (if so, how?), or is each its own actor? Critically, you need to decide on whether to do PFS or deliberately make past history available to newcomers in the room.

All of this can be done at an application layer layered on top of Matrix (like PGP or OTR implementations on the clients) - but we think it's vital to mandate specific protocols for doing this, to avoid fragmentation and have some hope of ever federating with other e2e crypto systems (e.g. Axolotl-based services such as TextSecure or WhatsApp; or OTR-enabled clients; etc). And we can also provide well-defined helpers in the protocol for handling key discovery/exchange and the other administravia in-band.

We're starting work on this properly next week, so if anyone wants to help define how it works please swing by #matrix:matrix.org and give us a shout!